[receivers/syslog] Support RFC6587 for message framing #8390
Comments
|
cc @djaglowski |
|
This makes sense to me. We should aim to eventually support all common use cases for syslog. I don't anticipate that I'll have time to work on this in the near future, but I'm happy to review a PR. Presumably, log-collection's syslog_input operator would need enhancement, to provide special handling for TCP messages. |
|
We're encountering this currently with syslog coming from a Palo Alto firewall. Could really use this enhancement, if anyone has time to work on it. |
|
Would it also, while this is being worked on, be useful to implement RFC5848? We do encounter this from time to time as well. So far, what we've done is talk customers into changing to straight RFC5424. It would be nice not to need to do that. |
|
@djaglowski Can you assign this to me. I'll take a a stab at adding support for RFC6587. |
Is your feature request related to a problem? Please describe.
When using TCP, messages can be framed in a variety of ways. Historically, servers have accepted messages terminated with a newline, carriage return, newline and carriage return, or nul. More fully-featured syslog servers also support a more transparent framing method, where each message is prefixed with its length. This 'octet-counting' method is described in RFC5425 and RFC6587.
Describe the solution you'd like
Add support for RFC6587 octet-counting method in addition to new line method for framing each log message.
The text was updated successfully, but these errors were encountered: