[syslog-ng] Missing messages

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Mon Jul 1 13:50:30 UTC 2019 

Hi Peter,

Thank you for correcting me! :)

For some reason, I misinterpreted the question of Bryan... Reading it back now, nowhere is mentioned to have the TCP and UDP sources on the same port.

Although it is possible to work on the same 514 port (as we do with default-network-drivers), it is surely much safer to handle the TCP connections on 601.

Cheers,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Peter Eckel <lists at eckel-edv.de>
Sent: Monday, July 1, 2019 3:21:50 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Missing messages

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hi Attila,

> Yes, you can use the same port for UDP and TCP.

while you *can* do that, you probably *should* not.

TCP/514 is the registered port fpr rsh (remote shell, an ancient ancestor of ssh without encryption).

There is no official registered port for syslog over TCP (https://tools.ietf.org/html/rfc6587), but a common practice (which I've been following as well for years without any collisions so far) is to use port 601, which is registered for syslog-conn. (http://networksorcery.com/enp/protocol/syslog.htm). The RFC also mentions using 514 plus a multiple of 1000 for the port number, i.e. 1514, 2514, ..., as a viable option.

> It would look something like this, in your config:
>
> source s_net {
>   syslog(ip(0.0.0.0) transport("udp") port(514));
>   syslog(ip(0.0.0.0) transport("tcp") port(514));
> };

So I'd change that to

source s_net {
  syslog(ip(0.0.0.0) transport("udp") port(514));
  syslog(ip(0.0.0.0) transport("tcp") port(601));
};

to be on the safe side. While rsh is somewhat out of fashion these days, auditors that find an open TCP port 514 tend to at least ask questions about it :-)

Best regards,

  Peter.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190701/d66ccf2c/attachment.html>

More information about the syslog-ng mailing list