[syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124

Evan Rempel erempel at uvic.ca
Sun Feb 24 15:30:02 UTC 2019

Yes, there is a flag "syslog-protocol" that will allow this. The rfc5124 
only applies to TCP, so the flag
is only on the tcp source.

Our configuration for the source is

source s_network_udp {
         network(localip( port(514) so_rcvbuf(33554432) 
log_fetch_limit(20000) log_iw_size(1000000) transport("udp") 
tags("unix_network") flags(no-multi-line) );
source s_network_tcp {
         network(localip( port(514) max_connections(5000) 
log_fetch_limit(20000) log_iw_size(1000000) transport("tcp") 
flags(no-multi-line,syslog-protocol) tags("unix_network") );

Hope that helps.


On 2/23/19 5:07 PM, Carlan Philippe wrote:
> Hi all,
> Is there a way to configure syslog-ng to process properly both RFC3164 
> and RFC5124 on the same listening port ?
> The scenario is a bunch of devices sending traffic to one syslog 
> server port (both udp + tcp) with the senders typically not knowing 
> what protocol they are sending.
> We are running syslog-ng 3.13 with this setup:
> source s_syslog { udp(ip( port(514)) ;
>                              tcp(ip(  port(514)); }
>  If needed we could upgrade syslog-ng to 3.19.1 but having checked the 
> doc for 3.19, it seems that the solution would be to create 2 source 
> entries, 1 for RFC3164 with network() and 1 for RFC5124 with  
> syslog().  Neverthless, these 2 sources would have to listen on 
> *different* ports and that is the problem for us.
> Note that we also have an identical issue with cisco traffic, since 
> it's not RFC compliant, syslog-ng adds automatically a header with  
> timestamp and hostname.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190224/b4f512ce/attachment.html>

More information about the syslog-ng mailing list