I'm trying to set up syslog-ng to properly parse RFC5424-compilant messages, thus far, with little success. According to the syslog-ng documentation,
The syslog-ng OSE application can automatically parse log messages that conform to the RFC3164 (BSD or legacy-syslog) or the RFC5424 (IETF-syslog) message formats. If syslog-ng OSE cannot parse a message, it results in an error.
This suggests that no extra parameters needed for syslog-ng for actually parse these messages. However, it just doesn't.
Here is the relevant part of my syslog-ng config:
template remote_message {
template("${R_ISODATE} s=${SDATA} mesg=${MSGONLY}\n");
};
source s_remote {
tcp(port(514));
syslog(transport(tcp));
};
destination d_remote {
file(
"/var/log/remote.log"
owner(root)
group(root)
create_dirs(yes)
template(remote_message)
);
};
log {
source(s_remote);
destination(d_remote);
};
The server listens on port 514, and picks up logs from remote sources, but doesn't parse them at all. Sending the following message (which is copied from the RFC text):
<165>1 2003-10-11T22:14:15.003Z sender.computer.org evententry - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] Test message
yields the following log entry:
2016-04-26T16:22:31+02:00 s= mesg=2003-10-11T22:14:15.003Z sender.computer.org evententry - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] Test message
So as you can see, the message doesn't get parsed at all. Contrary to the documentation, this doesn't results an error: according to the documentation, if the on-error option is set to fallback-to-string, syslog-ng should "log an error message to the internal() source", but no such logs are made.
I have a feeling that I'm missing something very basic here, because it really should work. What am I missing?
your source seems to be misconfigured a bit:
This is actually two sources:
So if you send your RFC5424 message to port 601, it should work (unless some firewall prevents listening on port 601).
HTH,
Robert Fekete