Hello,
I am using two XGS126 in HA. Firmware version is 20.0.0 GA-Build222 but the same applies to previous 19.5.3 MR-3-Build652.
I am configuring a remote syslog server. Everything works as expected with UDP protocol, the receiver is a rsyslog service on Ubuntu server. Everything described here also applies to another server with Elasticsearch stack, receiving logs with elastic-agent and Sophos XG integration.
When I switch to TCP using "Secure log transmission", it seems that the log are sent using a different protocol (maybe RFC 3164?) and are bad interpreted by the server.
Debug is difficult since the TCP connection is encrypted, but it looks like the format is something like this:
<PRIORITY><MESSAGE><LINE DELIMITER>
The logs are sent in multiple TCP packets and the server is expecting "\n" as line delimiter, but instead a null character "\u0000" is sent. Rsyslog converts the null character in "#000" string but the event lines are not correctly delimited, and the entire log is messed up.
This thread was automatically locked due to age.