NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Syslog TCP | logs truncate via UDP
Problem:
- Logs with a length greater than 1033 chars truncate using syslog (UDP)
- There is no option for Syslog via TCP in the WAX series products
- I am sending logs to a linux syslog platform running syslog-ng and then onwards to Splunk via a UF
- Firmware 10.6.1.1
Request:
- Please add TCP as a feature option to the product
- This will resolve the truncate issue
Example:
- NDDMP messages:
Oct 9 15:34:12 192.168.1.x nddmp[3598]: NDDMP Debug : handling Dashboard API 4933 : {"count":"2","refNum":"1696862052","moreFlag":"0","cliList":[{"clientIpAddress":"192.168.175.x","macAddress":"C2-6C-96-xx-xx-xx","hostName":"C2-6C-96-xx-xx-xx","txRate":"864.70 Mbps","rxRate":"172.10 Mbps","associatedSsid":"xxxxxx _nomap _optout","deviceOs":"iOS","deviceType":"Mobile/Tablet","Mode":"11AX","stationStatus":"Authenticated","bssid":"9C-C9-EB-xx-xx-xx","channel":"36","channelWidth":"20/40/80 MHz","rssi":"36","state":"QOS/HT/VHT/HE","type":"wpa3","idletime":"16","assocTimeStamp":"00:02:58", "txBytes":"39919","rxBytes":"17419","vlanID":"175","Username":"Not Applicable"},{"clientIpAddress":"192.168.x.xx","macAddress":"A4-83-E7-xx-xx-xx","hostName":"xxxx-iMac","txRate":"866.70 Mbps","rxRate":"780 Mbps","associatedSsid":"xxxxx _nomap _optout","deviceOs":"Unknown Device OS","deviceType":"Unknown Device Type","Mode":"11AC","stationStatus":"Authenticated","bssid":"9C-C9-EB-3A-D1-A1","channel":"36","channelWidth":"20/40/80 MHz"
Splunk:
- The below is an example 7 day search showing the max length
index=wifi | eval len = len(_raw) | stats max(len)
1033
3 Replies
wintermute_ukRequest:
- Please add TCP as a feature option to the product
No way. According to RFC3164, syslog does only make use of UDP.
This is baked by the IANA definition:
The syslog protocol has been assigned UDP port 514. This port assignment will be maintained by IANA exclusively for this protocol.
Last, according to the RFC3164, RFC3164 section 4.1 Syslog Message Parts
The full format of a syslog message seen on the wire has three discernable parts. The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. The total length of the packet MUST be 1024 bytes or less. There is no minimum length of the syslog message although sending a syslog packet with no contents is worthless and SHOULD NOT be transmitted.
Time for some brainstorming for Netgear to shorten this over-long text in the MSG part?
Hey schumaku It's good to review credible docs such as IETF but I'm afraid your data is out of date. Many platforms now offer SSL / TCP OR UDP based transmission of Syslog. Syslog is both a message format and method of transport and there are more up to date IETF docs mentioning TCP based transmission.
I'm a cyber security professional and I regularly work with platforms such as Palo Alto Firewalls (a market leader) and for the benefit of the discussion I have taken a screenshot of what top tier vendors offer:
Netgear should offer it as a Layer 4 Transport protocol to transmit the Syslog messages.
Perfectly understand the aim of enhancing security for the decades old BSD syslog - in fact TLS is the preferred way over UDP - it's part of RFC5424 transport proposal. Naked TCP isn't. Don't remember when exactly we had started adding TLS in enterprise log collecting applications ... things I've done in my previous life, round the Y2K change times. From there I am aware about the limited data sizes supported either way. Note: I don't talk as Netgear here, I'm not carrying a Netgear batch, nor am I paid or compensated in any way for the effort I'm doing here in the Netgear Community.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
