search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.44k stars 1.07k forks source link

CEF TCP input: support octet-counting format #10863

Open patrickmann opened 3 years ago

patrickmann commented 3 years ago

GL Documentation states that we support both “Non-Transparent-Framing” and "octet-counting" mode for syslog. However, a CEF TCP input is not able to handle "octet-counting" mode: multiple messages appear to be parsed as a single, excessively long message, leading to confusing errors.

Customer scenario

Fortinet recommended enabling "enhanced logging," which switched the firewalls over to using the "reliable TCP" mode of transmission; this is an octet-counting CEF format. Our CEF input appeared to stop working with no good diagnostic information in the log file.

Customer impact

In the Fortinet scenario, customer was able to simply revert to using the previous format. However, CEF input was offline for a considerable amount of time while trouble-shooting the issue. Messages sent during this time were lost.

References

https://docs.graylog.org/en/4.0/pages/sending/syslog.html https://kb.fortinet.com/kb/documentLink.do?externalID=FD45621 https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/CommonEventFormatV25.pdf https://datatracker.ietf.org/doc/html/rfc6587 https://datatracker.ietf.org/doc/html/rfc5424

HS-441221484

bernd commented 3 years ago

We already support octet-count-framing in our TCP input. So we can probably re-use some of this for the CEF input.

https://github.com/Graylog2/graylog2-server/blob/dafa0cbb5f4e3d6d110526861a0f6efdcc1a5d3c/graylog2-server/src/main/java/org/graylog2/inputs/syslog/tcp/SyslogTCPFramingRouterHandler.java#L42-L46