# default-network-drivers: Receive and parse common syslog messages The `default-network-drivers()` source is a special source that uses multiple source drivers to receive and parse several different types of syslog messages from the network. Available in version 3.16 and later. To use the `default-network-drivers()` source, the `scl.conf` file must be included in your AxoSyslog configuration: ``` @include "scl.conf" ``` Also, make sure that your SELinux, AppArmor, and firewall settings permit AxoSyslog to access the ports where you want to receive messages, and that no other application is using these ports. By default, the `default-network-drivers()` source accepts messages on the following ports: * 514, both TCP and UDP, for RFC3164 (BSD-syslog) formatted traffic * 601 TCP, for RFC5424 (IETF-syslog) formatted traffic * 6514 TCP, for TLS-encrypted traffic In addition to receiving messages on different ports and in different formats, this source tries to parse the messages automatically. If successful, it sets the `${.app.name}` name-value pair to the name of the application that sent the log message. Currently it uses the following procedures. Warning If you do not configure the TLS keys to show to the clients, AxoSyslog cannot accept encrypted connections. The application starts and listens on TCP:6514, and can receive messages on other ports, but will display a warning messages about missing keys. ## Parsing RFC3164-formatted messages For RFC3164-formatted messages (that is, messages received on the ports set in options `udp-port()` and `tcp-port()` which default to port 514), AxoSyslog attempts to use the following parsers. If a parser cannot parse the message, it passes the original message to the next parser. 1. Parse the incoming raw message as a [message from a Cisco device](../../docs/axosyslog-core/chapter-parsers/cisco-parser/index.md). 2. Parse the incoming message as an [RFC3164-formatted message](../../docs/axosyslog-core/chapter-parsers/parser-syslog/index.md). * If the incoming message was sent by a AxoSyslog client using the [`syslog-ng()` destination](../../docs/axosyslog-core/chapter-destinations/destination-syslog-ng/index.md), parse its fields as a [AxoSyslog message](../../docs/axosyslog-core/chapter-parsers/parser-ewmm/index.md). The [Enterprise-wide message model or EWMM](../../docs/axosyslog-core/chapter-concepts/concepts-message-structure/syslog-ng-message-format/index.md) allows you to deliver structured messages from the initial receiving AxoSyslog component right up to the central log server, through any number of hops. It does not matter if you parse the messages on the client, on a relay, or on the central server, their structured results will be available where you store the messages. Optionally, you can also forward the original raw message as the first AxoSyslog component in your infrastructure has received it, which is important if you want to forward a message for example, to a SIEM system. To make use of the enterprise-wide message model, you have to use the [`syslog-ng()` destination on the sender side](../../docs/axosyslog-core/chapter-destinations/destination-syslog-ng/index.md), and the [`default-network-drivers()` source on the receiver side](../../docs/axosyslog-core/chapter-sources/source-default-network-drivers/index.md). * Otherwise, apply the application adapters if the message was sent from an application that already has a specific parser in AxoSyslog (for example, Splunk Common Information Model (CIM), [iptables](../../docs/axosyslog-core/chapter-parsers/parser-iptables/index.md), or [sudo](../../docs/axosyslog-core/chapter-parsers/parser-sudo/index.md)). ## Parsing RFC5424-formatted messages For RFC5424-formatted messages (that is, messages received on the ports set in options `rfc5424-tls-port()` and `rfc5424-tcp-port()`, which default to port 601 and 6514), AxoSyslog parses the message according to RFC5424, then attempts apply the application adapters if the message was sent from an application that already has a specific parser in AxoSyslog (for example, Splunk Common Information Model (CIM), [iptables](../../docs/axosyslog-core/chapter-parsers/parser-iptables/index.md), or [sudo](../../docs/axosyslog-core/chapter-parsers/parser-sudo/index.md)). ## Example: Using the default-network-drivers() driver The following example uses only the default settings. ``` source s_network { default-network-drivers(); }; ``` The following example can receive TLS-encrypted connections on the default port (port 6514). ``` source s_network { default-network-drivers( tls( key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert") ) ); }; ``` * * * [default-network-drivers() source options](../../docs/axosyslog-core/chapter-sources/source-default-network-drivers/reference-source-default-network-drivers/index.md) Last modified May 31, 2024: [Typo fixes (d4925e1)]()