UDP source - log/store unparseable syslogs

asked 2019-01-28 12:33:56 -0500

arnabdutta gravatar image

I am using UDP source to listen to the syslogs(from network devices) and send it to Kafka destination. I noticed a lot of stage errors on UDP source, mostly because of standard formats(in header) not followed by network device vendors. I was wondering if there is a way to store those unparseable syslogs in a file as plain-text. This will help debug/re-configure those devices.

Any suggestions on this ?

1 Answer

answered 2019-01-30 13:55:29 -0500

jeff gravatar image

I recommend configuring the UDP origin to consume the "raw/separated" format, rather than Syslog directly. Then attach a Data Parser processor afterward, which tries to parse the incoming record as Syslog. Configure error handling in the pipeline (with error records going to another location, such as filesystem or different Kafka topic). Then, any parse errors that occur in the data parser processor will have the original parsed raw packet sent to the error destination, from which you can perform additional analysis.

Asked: 2019-01-28 12:33:56 -0500

Last updated: Jan 30 '19