Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

RFC 5424 support?

Currently Kiwi Syslog Server 9.x release supports syslog based on RFC 3164. Are there any plans to add support for RFC 5424 in a future release?

Thank you,

David

Find more posts tagged with

kiwi_syslog_server

kiwi_syslog

Accepted answers

All comments

Fodome

Hi Computer99,

The difficulty is that RFC5424 defines a completely different format for Syslog messages. As a result, we would need to add support for both within Kiwi Syslog Server and we would need to add a parser to detect the format of every single incoming syslog message. This would considerably slow down the amount of volume Kiwi Syslog Server can handle. Also,

-When writing the messages to log files, you would end up with 2 different formats within a log file, making it impossible to import into a spreadsheet or database application.

-When writing the messages to a database, the format of one would not match the data table's fields and the insert would fail.

The only way around this would be to convert one format into the other format, which is an entirely different can of worms in itself.

Nevertheless, it is still something we can consider with enough demand. Currently you are the first one to request this, that I am aware of.

Sincerely,

Chris Foley • SolarWinds • Technical Support

Office Hours: Mon-Fri 8AM-5PM EST 866.530.8040

______________________________________________

explore our IT management solutions for:

networks | applications | storage | virtualization | log & event

Aforsythe

Thanks for the quick answer Chris!

I have not personally run across any devices that are not supporting RFC 3164 yet, but I'm sure we will see more and more. Especially since the message content is structured.

Here's how I would go about handling it though... Setup Option under Inputs \ UDP - Support for RFC 5424 [] check box.

All RFC 3164 messages should be converted to RFC 5424 and allow NULL values for those messages. It's not the best implimentation, but it would allow Kiwi users the option to use it or not and would not slow down the message processing as much as trying to determine which format the Syslog messages are in.

Yes, we would have to re-structure our database tables, possibly seperate our log files, and fix our parsing routines in many cases, but only if we check the "RFC 5424 Support" check box in setup. Otherwise our 3164 formatted messages will continue to come in just fine and the RFC 5424 messages will be outcasts.

If you can move this to feature requests, I'll put my vote in.

nicklowe

Please could you outline the current behaviour of Kiwi when it receives an RFC 5425 compliant Syslog message with no STRUCTURED-DATA?

I am interested in how it handles a UTF-8 BOM before the MSG component. Will it handle this situation gracefully?

I am engaging with Aerohive to see if they can correct their use of Syslog to conform with the current RFC. They have customers who use Kiwi for SSO purposes with a script and need to know how it will handle such a change.