logstash icon indicating copy to clipboard operation
logstash copied to clipboard
verified publisher icon elastic

[Feature Request] Syslog Input plugin to support proxy protocol v2.

Open jmoon-elastic opened this issue 3 months ago • 1 comments

Currently, the Logstash's Syslog Input plugin supports Proxy protocol v1 only.

Proxy protocol support, only v1 is supported at this time http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Due to this limitation, the IP of the source devices are not preserved in the logs collected via AWS NLB(which supports proxy protocol v2 only) as they are replaced by the IP of the NLB.

Please consider supporting proxy protocol v2 so that the original source IP can be preserved.

jmoon-elastic avatar Sep 26 '25 02:09 jmoon-elastic

Hey @logstash-team, circling back on this FR, super relevant for AWS NLB users like the OP. Dived into the logstash-input-syslog code (syslog.rb), and v1's straightforward text parsing ("PROXY " prefix) is solid, but yeah, no love for v2's binary header yet. Quick assessment:

  • v2 detection: Scan first 16 bytes for signature (0x0D0A0D0A00...), then unpack IPs/ports from TLVs.
  • Impact: Minimal—extend the connection reader to try v2 before v1 fallback, preserve src IP in event metadata.
  • Edge cases: Handle v1/v2 mix, malformed headers, non-proxy traffic.

If assigned, I'd tackle:

  • PR with updated parser + unit/integration tests (e.g., mock TCP streams).
  • Docs bump for config flag to enable/disable v2. can you please assign this to me

0xShubhamSolanki avatar Oct 27 '25 19:10 0xShubhamSolanki