<blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">Does this work?<br><br>source s_udp_not_parsed { udp(port(514) flags(no-parse)); };<br>source s_udp { udp(port(514)); };<br>
<br>(...)<br><br></blockquote><br>I tried that solution few days ago and it didn't work. Two processes "syslog-ng" listened on port UDP/514 : the messages are not handled correctly. They would be handled by "s_udp_not_parsed" or "s_udp".<br>
<br>nb : it's strange that two processes can listen on the same port (for the protocol UDP) isn't it ? This is the same behaviour with "netcat". I tried with netcat (example : nc -l -u 1234) and I have two processes which listen the port UDP/1234. Messages send by "nc" on the port 1234 are received by the last "netcat" which has been started.<br>
<br><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
For passing yourself back the reparsed message I would recommend<br>
unix-dgram. AF_UNIX is usually better than pipes for me at least.<br></blockquote><div></div><br>Thank you ! I'll use AF_UNIX.<br><br>Regards,<br><br>Yann I.<br><br><br><div class="gmail_quote">2010/11/16 Matthew Hall <span dir="ltr"><<a href="mailto:mhall@mhcomputing.net" target="_blank">mhall@mhcomputing.net</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">For passing yourself back the reparsed message I would recommend<br>
unix-dgram. AF_UNIX is usually better than pipes for me at least.<br>
<font color="#888888"><br>
Matthew.<br>
</font><div><div></div><div><br>
On Tue, Nov 16, 2010 at 12:14:53PM -0600, Martin Holste wrote:<br>
> Does this work?<br>
><br>
> source s_udp_not_parsed { udp(port(514) flags(no-parse)); };<br>
> source s_udp { udp(port(514)); };<br>
><br>
> log {<br>
> source(s_udp);<br>
> parser(db-parser());<br>
> destination(d_parsed);<br>
> };<br>
> log {<br>
> source(s_udp_not_parsed);<br>
> destination(d_not_parsed);<br>
> };<br>
><br>
> Otherwise, try reassembling a no-parse like message with a different<br>
> output template.<br>
><br>
> On Tue, Nov 16, 2010 at 11:13 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
> > Well I'm not sure because of the flag I used for the UDP source which is set<br>
> > to "no-parse".<br>
> ><br>
> > Here is my problem. From the UDP source, I may receive logs which are not<br>
> > "syslog compliance". So I'm using the flag 'no-parse' then I rewrite the<br>
> > message. After that rewrite, I forward the new message to the same syslog-ng<br>
> > server.<br>
> > Then... I can apply filter, parser, etc on that new message which is now<br>
> > "syslog compliance" :-)<br>
> ><br>
> > So, I think I can't use log statement. I need to use that mecanism...<br>
> > There might be another solution but this one seems to be a good solution.<br>
> ><br>
> ><br>
> > 2010/11/16 Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>><br>
> >><br>
> >> Ok, then this should be accomplished with a standard log statement<br>
> >> like you've already begun to write. What do your destinations look<br>
> >> like?<br>
> >><br>
> >> On Tue, Nov 16, 2010 at 10:58 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
> >> > In fact, this is the same process... There is only one process.<br>
> >> ><br>
> >> ><br>
> >> > 2010/11/16 Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>><br>
> >> >><br>
> >> >> Why do you need separate syslog-ng processes running?<br>
> >> >><br>
> >> >> On Tue, Nov 16, 2010 at 10:49 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
> >> >> > Hi !<br>
> >> >> ><br>
> >> >> > I have a question about the use of udp, unix-stream or pipe. I would<br>
> >> >> > like to<br>
> >> >> > forward a syslog message to the same syslog server like this :<br>
> >> >> ><br>
> >> >> > | log {<br>
> >> >> > | source (s_r_udp); (<-- listen on UDP/514)<br>
> >> >> > |<br>
> >> >> > | filter (....);<br>
> >> >> > | filter (....);<br>
> >> >> > | parser (...);<br>
> >> >> > |<br>
> >> >> > | destination (d_local_syslog); (<-- send the message to a local<br>
> >> >> > syslog<br>
> >> >> > by using unix-stream, udp or pipe mecanism)<br>
> >> >> > | };<br>
> >> >> ><br>
> >> >> > (...)<br>
> >> >> ><br>
> >> >> > | log {<br>
> >> >> > | source (s_local_syslog); (<--- here I receive the messages<br>
> >> >> > sent<br>
> >> >> > by<br>
> >> >> > the "d_syslog_loop")<br>
> >> >> > |<br>
> >> >> > | filter (...);<br>
> >> >> > | filter (...);<br>
> >> >> > | parser (...);<br>
> >> >> > |<br>
> >> >> > | destination (d_remote_syslog);<br>
> >> >> ><br>
> >> >> > I'm looking for the better way to send syslog message to the same<br>
> >> >> > syslog<br>
> >> >> > server : which mecanism provides the better performances : pipe, udp<br>
> >> >> > (by<br>
> >> >> > using network) or unix-stream ?<br>
> >> >> > Maybe the "pipe" is the better solution ?...<br>
> >> >> ><br>
> >> >> > I'm using the syslog-ng OSE 3.1.2 on CentOS.<br>
> >> >> ><br>
> >> >> > Regards,<br>
> >> >> ><br>
> >> >> > Yann I.<br>
> >> >> ><br>
> >> >> ><br>
> >> >> ><br>
> >> >> > ______________________________________________________________________________<br>
> >> >> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> >> > Documentation:<br>
> >> >> > <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> >> > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >> >> ><br>
> >> >> ><br>
> >> >> ><br>
> >> >><br>
> >> >><br>
> >> >> ______________________________________________________________________________<br>
> >> >> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> >> Documentation:<br>
> >> >> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> >> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >> >><br>
> >> ><br>
> >> ><br>
> >><br>
> >> ______________________________________________________________________________<br>
> >> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> Documentation:<br>
> >> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >><br>
> ><br>
> ><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
</div></div></blockquote></div><br>