syslog RFC3164 issue

Hello, it seems the USG 100 flex does not follow RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

Device : USG FLEX 100 v5.37

The raw syslog the message received from USG has 2024 after the timestamp, which does not conform to RFC3164 :

<149>Jan 26 16:54:41 2024 usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"

instead it should start like this :

<149>Jan 26 16:54:41 usgflex100

Citation from RFC3164 : https://datatracker.ietf.org/doc/html/rfc3164#section-5.1

It has been found that some network administrators like to archive
   their syslog messages over long periods of time.  It has been seen
   that some original syslog messages contain a more explicit time stamp
   in which a 2 character or 4 character year field immediately follows
   the space terminating the TIMESTAMP.  This is not consistent with the
   original intent of the order and format of the fields.  If
   implementers wish to contain a more specific date and time stamp
   within the transmitted message, it should be within the CONTENT
   field.  Implementers may wish to utilize the ISO 8601 [7] date and
   time formats if they want to include more explicit date and time
   information.

This is probably the cause of this error of the telegraf parser :

[inputs.syslog] Error in plugin: unable to parse message: <149>Jan 26 16:54:41 2024 usgflex100 src="0.0.0.0:0" dst="0.0.0.0:0" msg="name=wan,status=1000M/Full,TxPkts=172906055,RxPkts=224208875,Collision=0,TxB/s=8751,RxB/s=27903" note="INTERFACE STATISTICS" user="unknown" devID="bccf4fd0c8a7" cat="INTERFACE STATISTICS"

Could you have a look at this issue ?

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓

    Hi @CRPilote ,

    Thank your feedback,

    We will have firmware on Febuary to comply the RFC.

    Thank you

All Replies

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    How about CEF format ? It works?

  • CRPilote
    CRPilote Posts: 4
    First Comment

    When set to "CEF/syslog" the hostname is correctly placed after the timestamp, there is no year misplaced

    <141>Jan 29 09:19:45 usgflex100 CEF:0|ZyXEL|USG FLEX 100|5.37(ABUH.1)|0|INTERFACE STATISTICS|5|devID=bccf4fd0c8a7 dvchost=usgflex100 msg=name:lan1,status:Up,TxPkts:248499559,RxPkts:272512530,Collision:0,TxB/s:191375,RxB/s:41121 cat=INTERFACE STATISTICS ZYlevel=notice ZYnote=INTERFACE STATISTICS

    So it seems to be a bug that concern only the "syslog" setting not "CEF/syslog".

    Sadly, using CEF this is not a solution for me as I need to use the normal syslog, not the CEF format.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @CRPilote ,

    Greeting Forum,

    Thank your feedback, we're checking on it.

    Kevin

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓

    Hi @CRPilote ,

    Thank your feedback,

    We will have firmware on Febuary to comply the RFC.

    Thank you

  • CRPilote
    CRPilote Posts: 4
    First Comment

    Thanks Kevin,
    I look forward to get it

  • nodens
    nodens Posts: 1
    First Comment

    Hi,

    FYI I have the exact same issue on NXC2500 controller. A fix for this one would be appreciated as well.

  • Issue not resolved with update to V5.37(ABUH.2) Released Date: 2024-01-20 06:18:36

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @CRPilote ,

    Will lease another firmware for you. Not in official firmware

    Thank your patience.

    Kevin

Security Highlight