[syslog-ng] Both formats (RFC3164 and 5424) via one Port

Steve Bernacki steve at copacetic.net
Tue Jan 24 14:02:30 UTC 2023


I recently encountered the same situation. I did find a very thorough 
post on one person's solution to this:

https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33

I ended up setting up a separate port for each protocol, which felt like 
a cleaner solution to me. It would be great if syslog-ng could more 
easily support this type of situation natively.

Steve

On 1/24/2023 8:12 AM, Matthias Gruber wrote:
> Hi!
>
> We have Appliances which are generating syslog-messages in both 
> formats, one in 3164 the other in 5424.
>
> Would it be possible to put them into one source?
>
> Something like
>
> source s_remote_appl_tcp {
>   syslog(
> ip("99.99.99.99")
> port("5152")
> transport("tcp")
> flags(no-parse)
>   );
> };
>
> and.... (just excepts)
>
> parser p_0140_A_parser {
> syslog-parser();
> };
>
> parser p_0140_B_parser {
> syslog-parser(flags(syslog-protocol);
> };
>
> log {
> source(s_remote_appl_tcp);
> parser(p_0140_A_parser);
> destination(d_0140_all);
> flags(final);
> };
>
> log {
> source(s_remote_appl_tcp);
> parser(p_0140_B_parser);
> destination(d_0140_all);
> flags(final);
> };
>
>
> Any hints are welcome...
>
> Cheers
> Matthias
>
> P.S. Its an OSE 3.38.1 running
>
>
> ------------------------------------------------------------------------------------
> METZLER
> Informationstechnologie
>
> Matthias Gruber
> IT-Infrastruktur & -Betrieb
>
> B. Metzler seel. Sohn & Co.
> Aktiengesellschaft
> Untermainanlage 1
> 60329 Frankfurt am Main
> Telefon 069 21 04 - 43 30
> Telefax 069 21 04 - 40 40
> MGruber at metzler.com
> www.metzler.com <www.metzler.com>
>
>
> Vorstand: Stefanie Buchmann, Kim Comperl, Mario Mattera, Franz von 
> Metzler, Emmerich Müller, Dr. Marco Schulmerich, Gerhard Wiesheu
> Vorsitzender des Aufsichtsrats: Wolfgang Kirsch
> Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365
>
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene 
> Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem 
> Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, 
> die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht 
> die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen 
> Informationen garantieren oder zusichern können, sind die vorstehenden 
> Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird 
> ausgeschlossen.
> This message is confidential. If you are not the intended recipient, 
> we kindly ask you to inform the sender and delete the information. Any 
> unauthorised dissemination or copying hereof is prohibited. As we 
> cannot guarantee or assure the genuineness or completeness of the 
> information contained in this message, the statements set forth above 
> are not legally binding. Accordingly we cannot accept any liability 
> for their contents.
>
>
> ______________________________________________________________________________
> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230124/1cbb1027/attachment.htm>


More information about the syslog-ng mailing list