[syslog-ng] syslog-ng Digest, Vol 166, Issue 8

Nagy, Gábor gabor.nagy at oneidentity.com
Mon Feb 25 09:13:33 UTC 2019


Hello Nathan!

This topic is also discussed in:
https://lists.balabit.hu/pipermail/syslog-ng/2019-February/025068.html

You can't avoid having 2 sources, as udp and tcp would need 2 different
drivers.
However, you can use 1 driver for TCP messages both RFC3164 and RFC5424 if
you use network() driver with flags(syslog-protocol).

The question is how are the RFC5424 logs are sent over, if they are send
according to RFC6587 (as syslog() destination driver uses), they will be
prefixed with a message length value:
110 <13>1 2019-02-01T09:44:21.386965+01:00 somehost somemachine - -
[timeQuality tzKnown="1" isSynced="0"] RFC5424 format message
https://tools.ietf.org/html/rfc6587

Regards,
Gabor

On Sun, Feb 24, 2019 at 3:56 PM Nathan Fish <lordcirth at gmail.com> wrote:

> Could you please clarify why the sources don't know what protocol they
> are sending? Are they relaying from other unknown sources?
>
> > Date: Sun, 24 Feb 2019 01:07:01 +0000 (UTC)
> > From: Carlan Philippe <philrmls at yahoo.fr>
> > To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
> > Subject: [syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124
> > Message-ID: <1313969407.6661190.1550970421020 at mail.yahoo.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi all,
> > Is there a way to configure syslog-ng to process properly both RFC3164
> and RFC5124 on the same listening port ?
> > The scenario is a bunch of devices sending traffic to one  syslog server
> port (both udp + tcp) with the senders typically not knowing what protocol
> they are sending.
> > We are running syslog-ng 3.13 with this setup:
> > source s_syslog { udp(ip(0.0.0.0) port(514)) ;
>     tcp(ip(0.0.0.0)  port(514)); }
> >
> >  If needed we could upgrade syslog-ng to 3.19.1 but having checked the
> doc for 3.19, it seems that the solution would be to create 2 source
> entries, 1 for RFC3164 with network() and 1 for RFC5124 with  syslog().
> Neverthless, these 2 sources would have to listen on *different* ports and
> that is the problem for us.
> > Note that we also have an identical issue with cisco traffic, since it's
> not RFC compliant, syslog-ng adds automatically a header with  timestamp
> and hostname.
> >
> > Thank you.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190225/0b7208bf/attachment-0001.html>


More information about the syslog-ng mailing list