Logstash -> ssl-tcp -> syslog-ng: Invalid frame header; header=''

aogail · February 1, 2018, 7:01pm

Hello,

I am attempting to send log messages from logstash to an upstream syslog-ng server using the ssl-tcp protocol. The syslog-ng server is configured to receive messages using:

syslog(
  port(6514)
  transport("tls")
  so-keepalive(yes)
  so_rcvbuf(1073741824)
  log-fetch-limit(100)
  log-iw-size(100)
  max-connections(5000)
);

On the logstash side the output config is:

output {
  syslog {
    id => "siem"
    host => "..."
    port => 6514
    rfc => "rfc5424"
    protocol => "ssl-tcp"
  }
}

However, syslog-ng complains about an invalid frame header when logstash attempts to send messages:

2018-02-01T18:53:20+00:00 syslog-ng[83027]: Syslog connection accepted; fd='46', client='AF_INET(...)', local='AF_INET(0.0.0.0:6514)'
2018-02-01T18:53:20+00:00 syslog-ng[83027]: Invalid frame header; header=''
2018-02-01T18:53:20+00:00 syslog-ng[83027]: Syslog connection closed; fd='46', client='AF_INET(...)', local='AF_INET(0.0.0.0:6514)'

I've also tried setting rfc => rfc3164 which made no difference. I'm using logstash 5.6.5 and syslog-ng 3.5.6.

fekete_robert · February 5, 2018, 2:10pm

Hi.

On the syslog-ng side, instead of the syslog() driver, try using the network() driver with the flag(syslog-protocol) option. They handle framing differently, and might solve the problem

aogail · February 5, 2018, 11:47pm

Thanks for the idea. Using the network() source on the syslog-ng side does appear to work with logstash's output. In my case I added another syslog-ng instance between the two because I can't mess with the real destination's protocol without disrupting a lot of existing syslog clients.

system · March 5, 2018, 11:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.