Logstash compliance with RFC5425 and RFC5426

From the official logstash docs , the syslog output plugin of logstash supports any of RFC5424, RFC3164 formats only. Syslog output plugin | Logstash Reference [8.6] | Elastic

Does logstash syslog output plugin comply with RFC5425 or RFC5426 formats ?

Thanks in Advance!

If it's not stated then I would say not.

I think it might. RFC 5426 is syslog over UDP (which the output supports), and it says that the message must be in 5424 format. The RFC doesn't seem to ask for anything else (although it explains at great length the many issues with using UDP :slight_smile: ).

I don't think it support RFC 5425 (syslog over TLS) because the output writes \n separated messages and the RFC appears to call for a line length and space prepended to the message. If that is correct it would be a one-line change to fix it.

rsyslog can support both traditional newline separation and octet-counted (5424) over TLS. The default is to use the traditional separation because 'only few syslogd implementations support “octet-counted” framing'.

I learnt so much about syslog today!


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.