RFC5424 messages are not displayed in seq

[gprossliner]

Hi! For testing I have a very basic docker-compose setup to see how syslog messages are displayed in seq. Any RFC5424 message is not displayed at all, and no error is logged in the seq-input-syslog container. RFC3164 messages are displayed fine.

version: '3.8'
services:
  seq:
    image: datalust/seq:latest
    ports:
      - 5341:80
    volumes:
      - seq-data:/data
    environment:
      - ACCEPT_EULA=Y

  seq-input-syslog:
    image: datalust/seq-input-syslog:latest
    ports:
      - "514:514/udp"
    environment:
      - SEQ_ADDRESS=http://seq:80
      - SYSLOG_ENABLE_DIAGNOSTICS=True

volumes:
  seq-data:

I use nc to send the messages and tried the same messages as in the tests of syslog.rs:

# RFC5424 examples
echo "<30>1 2020-02-13T00:51:39.527825Z docker-desktop 8b1089798cf8 1481 8b1089798cf8 - hello world" | nc -u -w1 localhost 514

echo "<30>1 2020-02-13T00:51:39Z " | nc -u -w1 localhost 514

echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - \xEF\xBB\xBF\xE2\x80\x99su root\xE2\x80\x99 failed for lonvick on /dev/pts/8" | nc -u -w1 localhost 514

echo "<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts." | nc -u -w1 localhost 514

echo "<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] \xEF\xBB\xBFAn application event log entry..." | nc -u -w1 localhost 514

echo "<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"]" | nc -u -w1 localhost 514

echo "<0>1 - - - - - -" | nc -u -w1 localhost 514

# RFC3164 examples
echo "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8" | nc -u -w1 localhost 514

echo 'Use the BFG!' | nc -u -w1 localhost 514

This is the result in seq:

• Why are most messages not shown correctly here?
• Why I don't get the timestamps of the messages but the server timestamps?

Can anyone see the error here?

[nblumhardt]

Thanks for raising this. We'll loop back and take a look when we can, but if you're able to tack some test cases onto the ones here:

https://github.com/datalust/seq-input-syslog/blob/dev/squiflog/src/data/syslog.rs#L259

and run cargo test, that might show something up pretty quickly. HTH!

[gprossliner]

I'm not really into rust, but I can try to get these running if that helps. I think they may even run ok actually, as they test parsing specific protocols only. I checked on the source where the distinction between both protocol is made. But I was not able to come to that (bc I really don't know rust). Based on the message 1 2020-02-13T00:51:39Z it looks like a RFC5424 message is parsed as a RFC3164 one.

[nblumhardt]

That's interesting - thanks - we'll dig in as soon as we have a chance 👍