Logstash compliance with RFC5425 and RFC5426

I think it might. RFC 5426 is syslog over UDP (which the output supports), and it says that the message must be in 5424 format. The RFC doesn't seem to ask for anything else (although it explains at great length the many issues with using UDP :slight_smile: ).

I don't think it support RFC 5425 (syslog over TLS) because the output writes \n separated messages and the RFC appears to call for a line length and space prepended to the message. If that is correct it would be a one-line change to fix it.

rsyslog can support both traditional newline separation and octet-counted (5424) over TLS. The default is to use the traditional separation because 'only few syslogd implementations support “octet-counted” framing'.

I learnt so much about syslog today!

2 Likes