-
Title
How to receive logs in IETF (RFC 5424) format on a network() source -
Description
The network() source expects to receive logs in the BSD (RFC 3164) format. If the logs are sent to the source in the IETF (RFC 5424) format, then each entire incoming log will end up in the MSG part of the destination log.
For details on syslog message formats please see KB264126
-
Resolution
In order to receive messages using IETF (RFC 5424) format logs on a network() source the flag "syslog-protocol" should be enabled in the source as in the following example.
+++++++++++++++++++++++++++
source s_tcp_syslog {
network(
transport("tcp")
port("9021")
ip("127.0.0.1")
flags("syslog-protocol")
);
};
+++++++++++++++++++++++++++
Please note that for transferring IETF-syslog messages, generally you are recommended to use the syslog() driver on both the client and the server, as it uses both the IETF-syslog message format and the protocol. For details, see syslog: Collecting messages using the IETF syslog protocol (syslog() driver).