Logstash -> ssl-tcp -> syslog-ng: Invalid frame header; header=''


I am attempting to send log messages from logstash to an upstream syslog-ng server using the ssl-tcp protocol. The syslog-ng server is configured to receive messages using:


On the logstash side the output config is:

output {
  syslog {
    id => "siem"
    host => "..."
    port => 6514
    rfc => "rfc5424"
    protocol => "ssl-tcp"

However, syslog-ng complains about an invalid frame header when logstash attempts to send messages:

2018-02-01T18:53:20+00:00 syslog-ng[83027]: Syslog connection accepted; fd='46', client='AF_INET(...)', local='AF_INET('
2018-02-01T18:53:20+00:00 syslog-ng[83027]: Invalid frame header; header=''
2018-02-01T18:53:20+00:00 syslog-ng[83027]: Syslog connection closed; fd='46', client='AF_INET(...)', local='AF_INET('

I've also tried setting rfc => rfc3164 which made no difference. I'm using logstash 5.6.5 and syslog-ng 3.5.6.


On the syslog-ng side, instead of the syslog() driver, try using the network() driver with the flag(syslog-protocol) option. They handle framing differently, and might solve the problem

Thanks for the idea. Using the network() source on the syslog-ng side does appear to work with logstash's output. In my case I added another syslog-ng instance between the two because I can't mess with the real destination's protocol without disrupting a lot of existing syslog clients.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.