RFC 3164 Hostname handling

I have TrueNAS configured to forward syslog to Graylog. Looking at the received messages, they appear to be in RFC 3164 format and not RFC 5424. Annoying, but workable.

But the issue I’m seeing is that while Graylog correctly parses out the hostname and sets it as the source, it also includes the hostname in the message. This doesn’t happen with the RFC 5424 messages from my other services.

This also does not seem to be the same situation as the FreeBSD RFC 3164 issue posted here but it does illustrate the duplication in the screenshot. Syslog messages from FreeBSD not parsed correctly - #3 by einsibjani

Greetings!

As I understand it we’re parsing syslog as defined exactly by the RFC (both 3164 and 5424). 5424 is highly preferable and recommended, but I understand if the device cannot send 5425.

My recommendations are:

hope that helps!

It’s a bug AFAICT. Here is an example of the full message received.

<78>Jan 1 12:15:00 nas.example 1 1970-01-01T12:15:00.005048-00:00 nas.example /usr/sbin/cron 61898 - - (root) CMD (/usr/libexec/atrun)

Graylog correctly assigns nas.example as the source but the message gets set to the following.

nas.example 1 1970-01-01T12:15:00.005048-00:00 nas.example /usr/sbin/cron 61898 - - (root) CMD (/usr/libexec/atrun)

The hostname is not part of the message. Message should be set to this.

1 1970-01-01T12:15:00.005048-00:00 nas.example /usr/sbin/cron 61898 - - (root) CMD (/usr/libexec/atrun)

I’ve added a comment to the issue you opened (thank you for that!). You are correct, it does appear graylog is adding the hostname (from the header portion of the syslog, per both RFCs) to the message portion.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.