[Q&A]parsing failed (syslog)

[adelbordbari]

What is the problem?

in fluentd, i receive firewall logs from two different devices, both are syslog but the format is different. i parse the first type correctly with this conf:

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag s_5140
  source_address_key sensor
  <transport udp>
  </transport>
  message_format rfc5424
</source>

<filter s_5140.local0.*>
  @type parser
  key_name message
  reserve_data true
  remove_key_name_field true
  <parse>
    @type csv
    keys rule_id,rule_number,sub_rule_number,ruleset,p1,interface,reason,action,direction,ip_version,p2,p3,p4,p5,p6,p7,p8,tcp_udp,p9,source_ip,dest_ip,src_port,dest_port,p10,p11,p12,p13,p14,p15,p16
  </parse>
</filter>

<match s_5140.local0.*>
  @type stdout
</match>

however the second type can't be parsed, and gives me this error:
2024-12-31 09:48:38 +0000 [warn]: #0 failed to parse message data="<134>Dec 31 13:18:38 filterlog: 1735535334<1>,70,,,0,vmx1,match,pass,in,4,0x0,,128,65216,0,none,17,udp,32,192.168.1.131,255.255.255.255,5678,5678,12"

how to parse the second type without changing my tag (since I have even more syslogs on the same port with parsing and filters.)

Describe the configuration of Fluentd

No response

Describe the logs of Fluentd

No response

Environment

- Fluentd version: 1.16.2
- TD Agent version:
- Fluent Package version:
- Docker image (tag): using on docker-compose
- Operating system: ubuntu
- Kernel version: