syslog RFC3164 issue
Hello, it seems the USG 100 flex does not follow RFC3164
Device : USG FLEX 100 v5.37
The raw syslog the message received from USG has 2024 after the timestamp, which does not conform to RFC3164 :
<149>Jan 26 16:54:41
2024
usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"
instead it should start like this :
<149>Jan 26 16:54:41 usgflex100
Citation from RFC3164 :
It has been found that some network administrators like to archive their syslog messages over long periods of time. It has been seen that some original syslog messages contain a more explicit time stamp in which a 2 character or 4 character year field immediately follows the space terminating the TIMESTAMP. This is not consistent with the original intent of the order and format of the fields. If implementers wish to contain a more specific date and time stamp within the transmitted message, it should be within the CONTENT field. Implementers may wish to utilize the ISO 8601 [7] date and time formats if they want to include more explicit date and time information.
This is probably the cause of this error of the telegraf parser :
[inputs.syslog] Error in plugin: unable to parse message: <149>Jan 26 16:54:41 2024 usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"
Could you have a look at this issue ?
Accepted Solution
-
0
All Replies
-
How about CEF format ? It works?
0 -
When set to "CEF/syslog" the hostname is correctly placed after the timestamp, there is no year misplaced
<141>Jan 29 09:19:45 usgflex100 CEF:0|ZyXEL|USG FLEX 100|5.37(ABUH.1)|0|INTERFACE STATISTICS|5|devID=bccf4fd0c8a7 dvchost=usgflex100 msg=name:lan1,status:Up,TxPkts:248499559,RxPkts:272512530,Collision:0,TxB/s:191375,RxB/s:41121 cat=INTERFACE STATISTICS ZYlevel=notice ZYnote=INTERFACE STATISTICS
So it seems to be a bug that concern only the "syslog" setting not "CEF/syslog".
Sadly, using CEF this is not a solution for me as I need to use the normal syslog, not the CEF format.
0 -
0
-
0
-
Thanks Kevin,
I look forward to get it0 -
Hi,
FYI I have the exact same issue on NXC2500 controller. A fix for this one would be appreciated as well.0 -
Issue not resolved with update to V5.37(ABUH.2) Released Date: 2024-01-20 06:18:36
0 -
Hi @CRPilote ,
Will lease another firmware for you. Not in official firmware
Thank your patience.
Kevin
1
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight