-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Syslog] RFC3164 Acquisition does not handle relayed packets #2839
Labels
Milestone
Comments
LaurenceJJones
changed the title
[Syslog] RFC3164 Acquisition does not handled relayed packets
[Syslog] RFC3164 Acquisition does not handle relayed packets
Feb 12, 2024
@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage. In the meantime, you can:
DetailsI am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
https://www.rfc-editor.org/rfc/rfc3164
RFC3164 specifies that if the packet is relayed between syslog servers that the server should put itself as a HOST within the syslog line. Our current RFC3164 parser does not expect relayed packets
Example:
This packet is an internal relay from Unifi and fails both RFC's due to same hostname appearing twice.
Linked to hub item crowdsecurity/hub#940
What did you expect to happen?
Handle relayed packets between syslog servers
How can we reproduce it (as minimally and precisely as possible)?
WIP
Anything else we need to know?
No response
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
On Windows:
C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
paste output here
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
The text was updated successfully, but these errors were encountered: