There are multiple syslog protocols with multiple variants. The new transport(auto) option of the syslog() source allows you to support all TCP-based variants with a single source driver.
Why?
When it comes to syslog, there are many transport options. RFC3164 describes the “legacy” or “BSD” syslog protocol, while RFC5424 refers to the “new” syslog protocol (which is also more than a decade old now… :-) ). RFC5424-formatted messages normally come with framing or octet counting (as per RFC6587), where messages are prefixed with the length of the message. And just to increase confusion even more, some software use RFC5424 message formatting, but without octet counting.
Up until now, the amount of these variants meant that if you wanted to receive logs from RFC3164 and RFC5424 with or without octet counting, then you had to configure three different ports on syslog-ng to parse all of them correctly.
But not anymore! The new transport(auto) option of syslog-ng allows you to collect all these variants using a single port. And not just those, but even a variant that I do not recall seeing before: RFC3164 formatting with octet counting… :-)
Before you begin
Make sure that you have at least syslog-ng 4.9.0 installed. If it is not (yet) available in the operating system of your choice, then check if there are any third-party packages available. Of course, you can also build syslog-ng yourself, but using pre-built packages is a lot more convenient.
Configuring syslog-ng
Depending on your syslog-ng configuration, append the following configuration snippet to syslog-ng.conf, or create a new .conf file for it under the /etc/syslog-ng/conf.d/ directory.
source s_auto {
syslog(port(514) transport(auto));
};
destination d_auto {
file("/var/log/auto.txt");
};
log {
source(s_auto); destination(d_auto);
};
The source driver opens port 514 and sets transport mode to auto. It means that any TCP-based syslog protocol will work.
The destination drivers will simply write incoming log messages to a file.
Testing
Once the syslog-ng configuration is live, you are ready for some testing. I used logger with these options on openSUSE, but the available options on your distribution or OS might be different. The third variant is only there for fun, as I do not recall ever seeing it in the wild… :-)
logger -T -n 127.0.0.1 -P 514 --rfc5424 bla bla rfc5414 logger -T -n 127.0.0.1 -P 514 --rfc3164 bla bla rfc3164 logger -T -n 127.0.0.1 -P 514 --rfc3164 --octet-count bla bla rfc3164 octet count logger -T -n 127.0.0.1 -P 514 --rfc5424 --octet-count bla bla rfc5424 octet count
And the resulting log messages should look something like these:
Jul 14 13:12:39 localhost root: bla bla rfc5414 Jul 14 13:12:58 localhost root: bla bla rfc3164 Jul 14 13:14:09 localhost root: bla bla rfc3164 octet count Jul 14 13:14:29 localhost root: bla bla rfc5424 octet count
What is next?
You can now simplify your syslog-ng configuration. On a larger network, this might also mean that you can simplify your firewall configuration.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.