Telegraf: expecting a version value in the range 1-999 [col 5]

Can you capture a syslog message? It might be a bit different with docker container but it should be something along the lines of:

sudo tcpdump -A -i lo 'udp port 6514' -w syslog.pcap

There is a good change this is the same issue as #4593, but we will be able tell from the packet capture.

Hi,
I did not have the chance to do my packet capture yet but I do confirm that my equipment does support syslog RFC 5424. I went through the RFC 5424 and they refer to IANA for versin registration. In both the RFC and IANA document, there seems to be only Version 1 registered. I will confirm if the versin number is sent from my switch, but would it be a good idea to user version 1 if the version number is not provided in the message?

Here is the packet capture. As I was expecting, there is no version between the priority field and the date.
syslog_packet.zip

I have the same issue with Telegraf v1.7.3

Sample packet below.

Both captures are in RFC3164 format, you can quickly because the log time is not in RFC3339 format.

I will add some additional documentation around this issue but please watch #4593 for the latest updates on adding support. You might also be able to use the workaround in that issue, using rsyslog to perform the conversion.

Haha that's a good point! I will forward the info the the manufacturer so he modifies it's datasheet or code! I will follow your yread for sure! Thanks for the help.

A parser for RFC3164 is in the making but not top priority right now.

A branch living here https://github.com/influxdata/go-syslog/tree/feature/rfc3164 exists.

@danielnelson should this be closed for now?

I added a little blurb about RFC 3164 support. We will keep #4593 open as a feature request until we have support.

https://github.com/influxdata/telegraf/tree/master/plugins/inputs/syslog#rfc3164

I added a little blurb about RFC 3164 support. We will keep #4593 open as a feature request until we have support.

https://github.com/influxdata/telegraf/tree/master/plugins/inputs/syslog#rfc3164

Could you give me a hint for adopting rfc3164 syslog message?

I don't understand "You can use rsyslog to translate RFC3164 syslog messages into RFC5424 format."

RSYSLOG is a popular syslog daemon which comes preinstalled on all major Linux distributions, it will accept syslog messages in RFC3164 format and can relay them to Telegraf in RFC5424 format. Check the readme for this plugin for some info about configuring rsyslog -> Telegraf communication.

By chance I just posted a blog post about the setup of the telegraf syslog input plugin with rsyslog.

It presents the whole setup (with companion code) but if you are only interested in rsyslog and its scripting/configuration probably you can jump to the appendix of the blog post.

RSYSLOG is a popular syslog daemon which comes preinstalled on all major Linux distributions, it will accept syslog messages in RFC3164 format and can relay them to Telegraf in RFC5424 format. Check the readme for this plugin for some info about configuring rsyslog -> Telegraf communication.

thank you so much, but i try translation forwarding but some log seems not convert to new format. So. I decided make my own version to accept old syslog format!

RSYSLOG is a popular syslog daemon which comes preinstalled on all major Linux distributions, it will accept syslog messages in RFC3164 format and can relay them to Telegraf in RFC5424 format. Check the readme for this plugin for some info about configuring rsyslog -> Telegraf communication.

I also don't understand "You can use rsyslog to translate RFC3164 syslog messages into RFC5424 format.". The blog post linked by leodido doesn't seem to adress this issue, and in the readme of the plugin it states how to configure forwarding, but not translation.

A resource where the translation is examplified would be very useful. I imagine creating a rsyslog TCP input, ... but then?

@phromo The translation between formats should happen as part of the rsyslog forwarding. Could you open a new issue requesting documentation for this setup?