[Syslog] RFC3164 Acquisition does not handle relayed packets

[LaurenceJJones]

What happened?

A relay
   will add a TIMESTAMP and SHOULD add a HOSTNAME as follows and will
   treat the entire received packet after the PRI part from the original
   packet as the CONTENT field of the new packet.  The value used in the
   HOSTNAME field is only the hostname without the domain name as it is
   known by the relay.  A TAG value will not be added to the relayed
   packet.  While the inclusion of the domain name and IPv4 address in
   the original message is a noble endeavor, it is not consistent with
   the use of the field as described in Section 4.1.2.

         <0>Oct 22 10:52:12 scapegoat 1990 Oct 22 10:52:01 TZ-6
         scapegoat.dmz.example.org 10.1.2.3 sched[0]: That's All Folks!

https://www.rfc-editor.org/rfc/rfc3164

RFC3164 specifies that if the packet is relayed between syslog servers that the server should put itself as a HOST within the syslog line. Our current RFC3164 parser does not expect relayed packets

Example:

<14>Feb 12 09:50:07 ToonDreamMachine ToonDreamMachine ubios-udapi-server[3117]: svc-system-log-syslog-ng:       +(services): Restart running service systemLog

This packet is an internal relay from Unifi and fails both RFC's due to same hostname appearing twice.

Linked to hub item crowdsecurity/hub#940

What did you expect to happen?

Handle relayed packets between syslog servers

How can we reproduce it (as minimally and precisely as possible)?

WIP

Anything else we need to know?

No response

Crowdsec version

$ cscli version
# paste output here

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

workaround in #3435