[syslog-ng] syslog-ng as a relay
Balazs Scheidler
bazsi at balabit.hu
Tue Jun 19 13:19:28 CEST 2007
On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
> > So, I have been trying destinations as follows:
> >
> > destination d_remote {
> > udp("X.X.X.X" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > };
>
> Instead of this you should use two different destination definitions:
>
> destination d_remote_one {
> ...
> };
>
> destination d_remote_two {
> ...
> };
>
> and later
>
> log {
> source(...);
> filter(...);
> destination(d_remote_one);
> destination(d_remote_two);
> };
Organizing destinations is a matter of preference, so this is not
strictly required.
> > $MESSAGE\n Syslog facility and priority headers are
> > stripped away from relayed messages.
>
> try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as
"<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro.
Please note that PRIORITY and PRI are not the same. "PRI" denotes the
PRI field of the syslog header, which is comprised of a FACILITY and a
LEVEL value. PRIORITY is an alias for LEVEL.
Sorry for the confusing names. Partly this is caused by compatibility
with older versions of syslog-ng.
If the incoming message at least resembles to a syslog message (e.g. it
has a proper PRI heading), then you could use the template defined
above.
If it does not, you could still use the no-parse flag for your input,
and "$MESSAGE\n" as output template.
--
Bazsi
More information about the syslog-ng
mailing list