syslog RFC3164 issue

CRPilote · January 26

Hello, it seems the USG 100 flex does not follow RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

Device : USG FLEX 100 v5.37

The raw syslog the message received from USG has 2024 after the timestamp, which does not conform to RFC3164 :

<149>Jan 26 16:54:41 2024 usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"

instead it should start like this :

<149>Jan 26 16:54:41 usgflex100

Citation from RFC3164 : https://datatracker.ietf.org/doc/html/rfc3164#section-5.1

It has been found that some network administrators like to archive
   their syslog messages over long periods of time.  It has been seen
   that some original syslog messages contain a more explicit time stamp
   in which a 2 character or 4 character year field immediately follows
   the space terminating the TIMESTAMP.  This is not consistent with the
   original intent of the order and format of the fields.  If
   implementers wish to contain a more specific date and time stamp
   within the transmitted message, it should be within the CONTENT
   field.  Implementers may wish to utilize the ISO 8601 [7] date and
   time formats if they want to include more explicit date and time
   information.

This is probably the cause of this error of the telegraf parser :

[inputs.syslog] Error in plugin: unable to parse message: <149>Jan 26 16:54:41 2024 usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"

Could you have a look at this issue ?