Harbor Syslog Audit Logs contains empty UDP messages

[abdurrahman-osman]

Hi Everyone,

We have Harbor Registry deployed to Kubernetes. We are trying to forward audit logs to an external Syslog server to perform siem rules. When we start tcp dump in the target syslog server, we see too many TCP packets holds a small message contains following string:
Udp data

Harbor version: 2.13.2
Kubernetes version: 1.29

The tcp dump output as below:

...

..V........Udp data..........

11:08:55.768993 IP som-ip.41603 > hostname.shell: Flags [S], seq 2099988136, win 8188, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..4..@.....

Anyone faced this issue or any suggesstion for extra troubleshooting?

[bupd]

/label more-info-needed, kind/question

[bupd]

please share relevant logs, nature of the requests, and a bit more info of your setup. This might help us understand the issue better.

Thanks

[abdurrahman-osman]

Hi, @bupd

No error logs or anything unsual on harbor logs.

I have added my syslog server IP on Harbor UI as below:

Everything are ok. Logs are sent to the server. But the issue is we see too many messages beside the required audit logs.

I already mentioned how these messages look like above.

[abdurrahman-osman]

Hi @Vad1mo

What info is needed?

[wy65701436]

Hi @abdurrahman-osman,

Thanks for reporting. I did some search on it,

The "Udp data" messages are connection establishment packets from Go's log/syslog.Dial("tcp", ...) package when Harbor core(https://github.com/goharbor/harbor/blob/main/src/pkg/audit/forward.go#L38) establishes TCP connections to your syslog server. According to the Go syslog documentation, when a syslog connection is established, the client may send an initial test message. This is expected behavior, not a bug.

[abdurrahman-osman]

Hi @wy65701436

thanks for sharing.

this message makes our parsing mechanism hard.

Do you think it is not exist in UDP protocol?