Syslog-ng enable TCP framing

Question

I'm trying to send file entries as messages via TCP, where syslog-ng is in a container and it is sending to another container. I've had two different attempts both with problematic behavior. The first configuration:

@version: 3.31
source s_file {
    file("/var/log/my_file.json" follow_freq(1) flags(no-parse));
};

template log_template {
    template("MSGSTART${MESSAGE}MSGEND");
};

class SngResolver(object):
    def init(self, options):
        """
        Initializes the parser
        """
        self.counter = 0
        return True
    def parse(self, log_message):
        log_message["SYSUPTIME"] = subprocess.check_output(['cat', '/proc/uptime']).decode('utf-8')
        log_message["SEQUENCEID"] = str(self.counter)
        self.counter += 1
        # return True, other way message is dropped
        return True
};

parser p_resolver {
    python(
        class("SngResolver")
    );
};


# Define the destination for Suricata logs
destination d_container {
    syslog("my_other_container" transport("tcp") port(1234) template(log_template));    
};


# Define the log path for Suricata logs
log {
    source(s_file);
    parser(p_resolver);

    destination(d_container);
};

In this method, sometimes the message received started with the number of bytes in the coming message, say 400. other times, they did not and went straight to the message.

Later, I changed the destination to use network instead of syslog. Now, there is no framing.

I don't mind if I have to use TCP, UDP, whatever. I have a golang received connected to a TCP socket and I want it to read, one message at a time, and parse it. How is this achievable? Thanks

Answer 1

The syslog() destination would use the octet-counted framing format on transport(tcp) and transport(tls) as described in RFC5425. It will NOT use framing on transport(udp) as in that case the datagram delianates messages using the packet boundaries. The UDP transport is described in RFC5426.