[syslog-ng] Both formats (RFC3164 and 5424) via one Port

Evan Rempel erempel at uvic.ca
Tue Jan 24 15:17:12 UTC 2023 

You can listen for both protocols on a single port with

source s_both_protocols {
   network(
     localip("99.99.99.99")
     port("5152")
     transport("tcp")
     flags(syslog-protocol)
   );
};

If you need to support RFC3164 over UDP at the same time you can add

source s_udp_protocol {
   network(
     localip("99.99.99.99")
     port("5152")
     transport("udp")
     so-reuseport(1)
     persist-name("udp1")
   );
   network(
     localip("99.99.99.99")
     port("5152")
     transport("udp")
     so-reuseport(1)
     persist-name("udp2")
   );
   network(
     localip("99.99.99.99")
     port("5152")
     transport("udp")
     so-reuseport(1)
     persist-name("udp3")
   );
};

The multiple network stanzas are to support multi-threading processing 
of UDP messages. You can add as many entries here as you have CPU cores 
in your server.


Evan.

On 2023-01-24 06:02, Steve Bernacki wrote:
>
> I recently encountered the same situation. I did find a very thorough 
> post on one person's solution to this:
>
> https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33
>
> I ended up setting up a separate port for each protocol, which felt 
> like a cleaner solution to me. It would be great if syslog-ng could 
> more easily support this type of situation natively.
>
> Steve
>
> On 1/24/2023 8:12 AM, Matthias Gruber wrote:
>> Hi!
>>
>> We have Appliances which are generating syslog-messages in both 
>> formats, one in 3164 the other in 5424.
>>
>> Would it be possible to put them into one source?
>>
>> Something like
>>
>> source s_remote_appl_tcp {
>>   syslog(
>> ip("99.99.99.99")
>> port("5152")
>> transport("tcp")
>> flags(no-parse)
>>   );
>> };
>>
>> and.... (just excepts)
>>
>> parser p_0140_A_parser {
>> syslog-parser();
>> };
>>
>> parser p_0140_B_parser {
>> syslog-parser(flags(syslog-protocol);
>> };
>>
>> log {
>> source(s_remote_appl_tcp);
>> parser(p_0140_A_parser);
>> destination(d_0140_all);
>> flags(final);
>> };
>>
>> log {
>> source(s_remote_appl_tcp);
>> parser(p_0140_B_parser);
>> destination(d_0140_all);
>> flags(final);
>> };
>>
>>
>> Any hints are welcome...
>>
>> Cheers
>> Matthias
>>
>> P.S. Its an OSE 3.38.1 running
>>
>>
>> ------------------------------------------------------------------------------------
>> METZLER
>> Informationstechnologie
>>
>> Matthias Gruber
>> IT-Infrastruktur & -Betrieb
>>
>> B. Metzler seel. Sohn & Co.
>> Aktiengesellschaft
>> Untermainanlage 1
>> 60329 Frankfurt am Main
>> Telefon 069 21 04 - 43 30
>> Telefax 069 21 04 - 40 40
>> MGruber at metzler.com
>> www.metzler.com <www.metzler.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230124/4fea4a4e/attachment-0001.htm>

More information about the syslog-ng mailing list