[syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124

Scheidler, Bal√°zs balazs.scheidler at oneidentity.com
Sun Feb 24 19:06:11 UTC 2019


Also, check out the default-network-drivers() logic. You might not need the
whole stuff, but it's good to get ideas from.

It opens all relevant ports and processes both rfc3164/rfc5424 and cisco
traffic properly.

It is here:
https://github.com/balabit/syslog-ng/blob/master/scl/default-network-drivers/plugin.conf

default-network-drivers() can be extended using parsers automatically, so
that you only have a static configuration, and application adapters that
get deployed later on.

Bazsi

On Sun, Feb 24, 2019 at 4:30 PM Evan Rempel <erempel at uvic.ca> wrote:

> Yes, there is a flag "syslog-protocol" that will allow this. The rfc5124
> only applies to TCP, so the flag
> is only on the tcp source.
>
> Our configuration for the source is
>
> source s_network_udp {
>         network(localip(1.2.3.4) port(514) so_rcvbuf(33554432)
> log_fetch_limit(20000) log_iw_size(1000000) transport("udp")
> tags("unix_network") flags(no-multi-line) );
>         };
> source s_network_tcp {
>         network(localip(1.2.3.4) port(514) max_connections(5000)
> log_fetch_limit(20000) log_iw_size(1000000) transport("tcp")
> flags(no-multi-line,syslog-protocol) tags("unix_network") );
>         };
>
> Hope that helps.
>
> Evan.
>
>
>
>
> On 2/23/19 5:07 PM, Carlan Philippe wrote:
>
> Hi all,
>
> Is there a way to configure syslog-ng to process properly both RFC3164
> and RFC5124 on the same listening port ?
>
> The scenario is a bunch of devices sending traffic to one  syslog server
> port (both udp + tcp) with the senders typically not knowing what protocol
> they are sending.
>
> We are running syslog-ng 3.13 with this setup:
>
> source s_syslog { udp(ip(0.0.0.0) port(514)) ;
>                              tcp(ip(0.0.0.0)  port(514)); }
>
>
>  If needed we could upgrade syslog-ng to 3.19.1 but having checked the doc
> for 3.19, it seems that the solution would be to create 2 source entries, 1
> for RFC3164 with network() and 1 for RFC5124 with  syslog().
> Neverthless, these 2 sources would have to listen on *different* ports and
> that is the problem for us.
>
> Note that we also have an identical issue with cisco traffic, since it's
> not RFC compliant, syslog-ng adds automatically a header with  timestamp
> and hostname.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190224/efdca7cb/attachment.html>


More information about the syslog-ng mailing list