Rfc3195 compliance - Beep messages

Hi everybody,

Does anybody of you know how to handle beep messages stated in RFC3195 for reliable syslog over TCP?
I am receiving these messages in logstash, but don't know how to let logstash react to the sender of these messages. The result is that the device sending these messages does not send any syslog message since it does not receive a response.

The vendor of the hardware device states the device logs a status "beep message timed out".

I believe, if ELK is RFC3195 compliant, it should respond to the beep message, which will trigger the device to send the syslog messages over tcp (reliable).

Does anybody know if ELK is RFC3195 compliant and how to configure logstash to respond correctly to the beep messages?

Best regards,
Francis Claessens.

I think you might be looking for the relp input plugin.

Hi Christian,

Thanks for your feedback!
I have tried to use the relp input without success.
However, I believe maybe something else is wrong in my configuration. I receive the following error in the logstash logfile every time a beep message is being sent by my client device:

[2017-07-19T12:35:29,245][WARN ][logstash.inputs.relp ] Relp error: Relp::InvalidCommand 0

With a tcpdump, I can see those beep messages coming into the logstash server, but no response from logstash which informs the client device it is availability for receiving syslog reliable logs.

Do you have any idea how I can troubleshoot this. I don't seem to be able to find examples or troubleshooting guides for the relp plugin.

Are you using this yourself for syslog reliable message parsing?

Kind regards,
Francis Claessens.

No, I have never used this plugin. Maybe someone from the Logstash team can help?

This discussion seems split into two topics: RELP and RFC3195. Which one are you asking about?

I glanced briefly at RFC3195 and it looks to be incompatible with RELP, so if you are attempting to send RFC3195 to the Logstash RELP input, I would expect this to not work.

If you are wanting RFC3195 functionality, I think this would be best done as a new input (since RFC3195 is incompatible with every other syslog transport that I am aware of, it's a different protocol). I don't have any particular advice, nor am I an expert on this RFC.

It is possible to add support to Logstash for RFC3195 as a new input plugin, and doing so would require someone write the code for it. At this time, it is not on our roadmap to do this, but we will consider it further as demand for this feature increases.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.