You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A relay
will add a TIMESTAMP and SHOULD add a HOSTNAME as follows and will
treat the entire received packet after the PRI part from the original
packet as the CONTENT field of the new packet. The value used in the
HOSTNAME field is only the hostname without the domain name as it is
known by the relay. A TAG value will not be added to the relayed
packet. While the inclusion of the domain name and IPv4 address in
the original message is a noble endeavor, it is not consistent with
the use of the field as described in Section 4.1.2.
<0>Oct 22 10:52:12 scapegoat 1990 Oct 22 10:52:01 TZ-6
scapegoat.dmz.example.org 10.1.2.3 sched[0]: That's All Folks!
RFC3164 specifies that if the packet is relayed between syslog servers that the server should put itself as a HOST within the syslog line. Our current RFC3164 parser does not expect relayed packets
How can we reproduce it (as minimally and precisely as possible)?
WIP
Anything else we need to know?
No response
Crowdsec version
$ cscli version
# paste output here
OS version
# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here
# On Windows:C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here
Enabled collections and parsers
$ cscli hub list -o raw
# paste output here
Acquisition config
```console
# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here
LaurenceJJones
changed the title
[Syslog] RFC3164 Acquisition does not handled relayed packets
[Syslog] RFC3164 Acquisition does not handle relayed packets
Feb 12, 2024
Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
What happened?
https://www.rfc-editor.org/rfc/rfc3164
RFC3164 specifies that if the packet is relayed between syslog servers that the server should put itself as a HOST within the syslog line. Our current RFC3164 parser does not expect relayed packets
Example:
This packet is an internal relay from Unifi and fails both RFC's due to same hostname appearing twice.
Linked to hub item crowdsecurity/hub#940
What did you expect to happen?
Handle relayed packets between syslog servers
How can we reproduce it (as minimally and precisely as possible)?
WIP
Anything else we need to know?
No response
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
On Windows:
C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
paste output here
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
The text was updated successfully, but these errors were encountered: