[syslog-ng] Both formats (RFC3164 and 5424) via one Port
Steve Bernacki
steve at copacetic.net
Tue Jan 24 14:02:30 UTC 2023
I recently encountered the same situation. I did find a very thorough
post on one person's solution to this:
https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33
I ended up setting up a separate port for each protocol, which felt like
a cleaner solution to me. It would be great if syslog-ng could more
easily support this type of situation natively.
Steve
On 1/24/2023 8:12 AM, Matthias Gruber wrote:
> Hi!
>
> We have Appliances which are generating syslog-messages in both
> formats, one in 3164 the other in 5424.
>
> Would it be possible to put them into one source?
>
> Something like
>
> source s_remote_appl_tcp {
> syslog(
> ip("99.99.99.99")
> port("5152")
> transport("tcp")
> flags(no-parse)
> );
> };
>
> and.... (just excepts)
>
> parser p_0140_A_parser {
> syslog-parser();
> };
>
> parser p_0140_B_parser {
> syslog-parser(flags(syslog-protocol);
> };
>
> log {
> source(s_remote_appl_tcp);
> parser(p_0140_A_parser);
> destination(d_0140_all);
> flags(final);
> };
>
> log {
> source(s_remote_appl_tcp);
> parser(p_0140_B_parser);
> destination(d_0140_all);
> flags(final);
> };
>
>
> Any hints are welcome...
>
> Cheers
> Matthias
>
> P.S. Its an OSE 3.38.1 running
>
>
> ------------------------------------------------------------------------------------
> METZLER
> Informationstechnologie
>
> Matthias Gruber
> IT-Infrastruktur & -Betrieb
>
> B. Metzler seel. Sohn & Co.
> Aktiengesellschaft
> Untermainanlage 1
> 60329 Frankfurt am Main
> Telefon 069 21 04 - 43 30
> Telefax 069 21 04 - 40 40
> MGruber at metzler.com
> www.metzler.com <www.metzler.com>
>
>
> Vorstand: Stefanie Buchmann, Kim Comperl, Mario Mattera, Franz von
> Metzler, Emmerich Müller, Dr. Marco Schulmerich, Gerhard Wiesheu
> Vorsitzender des Aufsichtsrats: Wolfgang Kirsch
> Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365
>
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem
> Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig,
> die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht
> die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen
> Informationen garantieren oder zusichern können, sind die vorstehenden
> Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird
> ausgeschlossen.
> This message is confidential. If you are not the intended recipient,
> we kindly ask you to inform the sender and delete the information. Any
> unauthorised dissemination or copying hereof is prohibited. As we
> cannot guarantee or assure the genuineness or completeness of the
> information contained in this message, the statements set forth above
> are not legally binding. Accordingly we cannot accept any liability
> for their contents.
>
>
> ______________________________________________________________________________
> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230124/1cbb1027/attachment.htm>
More information about the syslog-ng
mailing list