convert RFC 3164 syslog messages to RFC 5424 for ingestion into Loki/promtail

README.md

syslog-ng-converter

Loki supports syslog ingestion using promtail's syslog scraper:

# promtai.yaml
scrape_configs:
  - job_name: syslog
    syslog:
      listen_address: 0.0.0.0:1514
      idle_timeout: 60s
      label_structured_data: yes
      labels:
        job: "syslog"
    relabel_configs:
      # - source_labels: ['__syslog_message_hostname']
      #   target_label: 'hostname'
      - action: labelmap
        regex: __syslog_message_(.+)

But, promtail only accepts newer RFC 5424 ("IETF") formatted syslog messages and rejects RFC 3164 ("old", "BSD") formatted messages. This is a problem for the OpenBSD and Ubiquiti gear on my home network. Both of which output RFC 3164 syslog messages.

Solution: Create a simple converter/forwarder using syslog-ng. Listen for syslog messages in either format and output them as RFC 5424 to an instance of promtail.

Dockerfile

FROM balabit/syslog-ng:3.35.1

COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf

syslog-ng.conf

@version: 3.35

options {
  keep_hostname(yes);
};

source udp {
  syslog(ip(0.0.0.0) port(1514) transport("udp"));
};

source tcp {
  syslog(ip(0.0.0.0) port(1514) transport("tcp"));
};

destination forward {
  ## replace "promtail" with the hostname or IP of your promtail instance:
  syslog("promtail" transport("tcp") port(1514));
};

log {
  source(udp);
  source(tcp);
  destination(forward);
};

thx so much for this, I was googling and found your gist, added the syslog-ng forwader and now im good to go @joemiller