[syslog-ng] Missing messages
Peter Eckel
lists at eckel-edv.de
Mon Jul 1 13:21:50 UTC 2019
Hi Attila,
> Yes, you can use the same port for UDP and TCP.
while you *can* do that, you probably *should* not.
TCP/514 is the registered port fpr rsh (remote shell, an ancient ancestor of ssh without encryption).
There is no official registered port for syslog over TCP (https://tools.ietf.org/html/rfc6587), but a common practice (which I've been following as well for years without any collisions so far) is to use port 601, which is registered for syslog-conn. (http://networksorcery.com/enp/protocol/syslog.htm). The RFC also mentions using 514 plus a multiple of 1000 for the port number, i.e. 1514, 2514, ..., as a viable option.
> It would look something like this, in your config:
>
> source s_net {
> syslog(ip(0.0.0.0) transport("udp") port(514));
> syslog(ip(0.0.0.0) transport("tcp") port(514));
> };
So I'd change that to
source s_net {
syslog(ip(0.0.0.0) transport("udp") port(514));
syslog(ip(0.0.0.0) transport("tcp") port(601));
};
to be on the safe side. While rsh is somewhat out of fashion these days, auditors that find an open TCP port 514 tend to at least ask questions about it :-)
Best regards,
Peter.
More information about the syslog-ng
mailing list