<div dir="auto">The syslog-parser() should set the program field based in the input, and your configuration seems correct at a first glance.<div dir="auto"><br></div><div dir="auto">Can you perhaps set debug mode (-d from command line) and copy paste the output genetated by a debug message?</div><div dir="auto"><br></div><div dir="auto">Also pls supply your syslog-ng version.</div><div dir="auto"><br></div><div dir="auto">Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Feb 22, 2017 17:24, <<a href="mailto:hurling69@yahoo.com">hurling69@yahoo.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div>Thanks for the information. I have another issue that has come up relating to the PROGRAM macro.</div><div><br></div><div>
</div><div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3747"><b id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3748">When I configure it
like this, the PROGRAM macro works properly and gets the proper tag from the
client:</b></div>
<div style="text-align:center" id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3749" align="center">
<hr id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3750" size="2" width="100%" align="center">
</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3751">source s_syslog-ports {</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3752"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3753"> </span># Configure
the network() driver for receiving RFC3164 logs</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3754"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3755">
</span>network(transport("udp") ip(10.25.10.52) port(514));</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3756"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3757">
</span>network(transport("tcp") ip(10.25.10.52) port(514)
max-connections(100));</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3758"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3759">
</span>network(transport("tcp") ip(10.25.10.52) port(1514)
max-connections(100));</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3760">};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3761"> </div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3762">filter f_Linux-centos {
in-list("/etc/syslog-ng/<wbr>filter/Linux-centos.txt",
value("SOURCEIP")); };</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3763">destination d_Linux-centos
{file("/var/log/IT/server/<wbr>Linux/CentOS/${SOURCEIP}/${<wbr>SOURCEIP}[${PROGRAM}]-${YEAR}$<wbr>{MONTH}${DAY}.log"
template(t_message-only));};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3764">log {source(s_syslog-ports); filter(f_Linux-centos);
destination(d_Linux-centos);};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3765"> </div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3766"> </div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3767"><b id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3768">Then, when I change
the configuration to this, the PROGRAM macro no longer gets the same proper tag
value from the client:</b></div>
<div style="text-align:center" id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3769" align="center">
<hr id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3770" size="2" width="100%" align="center">
</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3771">source s_syslog-ports {</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3772"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3773"> </span># Configure
the network() driver for receiving RFC3164 logs</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3774"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3775">
</span>network(transport("udp") ip(10.25.10.52) port(514));</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3776"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3777">
</span>network(transport("tcp") ip(10.25.10.52) port(514)
max-connections(100));</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3778"><span id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3779">
</span>network(transport("tcp") ip(10.25.10.52) port(1514)
max-connections(100) <b id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3780">flags(no-parse)</b>);</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3781">};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3782"> </div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3783">filter f_Linux-centos {
in-list("/etc/syslog-ng/<wbr>filter/Linux-centos.txt",
value("SOURCEIP")); };</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3784">destination d_Linux-centos
{file("/var/log/IT/server/<wbr>Linux/CentOS/${SOURCEIP}/${<wbr>SOURCEIP}[${PROGRAM}]-${YEAR}$<wbr>{MONTH}${DAY}.log"
template(t_message-only));};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3785">log {source(s_syslog-ports); <b id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3786">junction { channel {</b> filter(f_Linux-centos); <b id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3787">parser { syslog-parser(); }; flags(final); }; };</b>
destination(d_Linux-centos);};</div>
<div id="m_-4536223007964533313yui_3_16_0_ym19_1_1487780274358_3574"><span><br></span></div><div><span>Is there a way to configure the no-parse and junction option while still getting the correct PROGRAM macro data?</span></div><div><span><br></span></div><div><span>Thanks.<br></span></div><div><span></span></div> <div class="m_-4536223007964533313qtdSeparateBR"><br><br></div><div class="m_-4536223007964533313yahoo_quoted" style="display:block"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"> <div dir="ltr"><font size="2" face="Arial"> On Wednesday, February 22, 2017 8:04 AM, "Fekete, Róbert" <<a href="mailto:robert.fekete@balabit.com">robert.fekete@balabit.com</a>> wrote:<br></font></div> <br><br> <div class="m_-4536223007964533313y_msg_container"><div id="m_-4536223007964533313yiv9949162300"><div><div dir="ltr">Hi, <div><br clear="none"></div><div>To achieve something like that, you have to use junctions. </div><div>You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse.</div><div><br clear="none"></div><div>For details, see the 8.3 example at <a rel="nofollow" shape="rect">https://www.balabit.com/ documents/syslog-ng-ose- latest-guides/en/syslog-ng- ose-guide-admin/html/ junctions.html</a> and <a rel="nofollow" shape="rect">https://<wbr>www.balabit.com/documents/<wbr>syslog-ng-ose-latest-guides/<wbr>en/syslog-ng-ose-guide-admin/<wbr>html/parser-syslog.html</a></div><div><br clear="none"></div><div>HTH, </div><div><br clear="none"></div><div>Robert</div></div><div class="m_-4536223007964533313yiv9949162300gmail_extra"><br clear="none"><div class="m_-4536223007964533313yiv9949162300gmail_quote">On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <span dir="ltr"><<a rel="nofollow" shape="rect">syslog-ng@balabit.com</a>></span> wrote:<br clear="none"><blockquote class="m_-4536223007964533313yiv9949162300gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_-4536223007964533313yiv9949162300yqt0262501372" id="m_-4536223007964533313yiv9949162300yqt79278"><div><div><br clear="none"></div><blockquote type="cite">
<div class="m_-4536223007964533313yiv9949162300m_-4684994580070735645WordSection1">
<div class="m_-4536223007964533313yiv9949162300MsoNormal">Is it possible to configure multiple sources, one with flags(no-parse) and one without?<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">e.g.<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">source <b>s_syslog-ports</b> {<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> udp(port(514));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> tcp(port(1514) max-connections(100));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> tcp(port(514) max-connections(100));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">source <b>s_syslog_np-ports </b>{<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> udp(port(514) flags(no-parse));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> tcp(port(1514) max-connections(100) flags(no-parse));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> tcp(port(514) max-connections(100) flags(no-parse));<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">filter f_Cisco-router { in-list("/etc/syslog-ng/ filter/Cisco-router.txt", value("SOURCEIP")); };<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">destination d_Cisco-router {file("/var/log/IT/network/ router/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">log {source(<b>s_syslog-ports</b>); filter(f_Cisco-router); destination(d_Cisco-router);};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">filter f_Cisco-switch { in-list("/etc/syslog-ng/ filter/Cisco-switch.txt", value("SOURCEIP")); };<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">destination d_Cisco-switch {file("/var/log/IT/network/ switch/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">log {source(<b>s_syslog_np-ports</b>); filter(f_Cisco-switch); destination(d_Cisco-switch);};<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"> <u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">Whenever I do this, I get an error message when restarting the service.<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">“Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.”
<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal">“Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”<u></u><u></u></div>
<div class="m_-4536223007964533313yiv9949162300MsoNormal"><span style="color:rgb(64,64,64);font-size:10pt;font-family:Calibri,sans-serif"> </span></div>
</div>
</blockquote></div></div><br clear="none">______________________________ ______________________________ __________________<br clear="none">
Member info: <a rel="nofollow" shape="rect">https://lists.balabit.hu/ mailman/listinfo/syslog-ng</a><br clear="none">
Documentation: <a rel="nofollow" shape="rect">http://www.balabit.com/ support/documentation/? product=syslog-ng</a><br clear="none">
FAQ: <a rel="nofollow" shape="rect">http://www.balabit.com/wiki/ syslog-ng-faq</a><br clear="none">
<br clear="none">
<br clear="none"></blockquote></div><br clear="none"></div></div></div><br><div class="m_-4536223007964533313yqt0262501372" id="m_-4536223007964533313yqt93846">______________________________<wbr>______________________________<wbr>__________________<br clear="none">Member info: <a shape="rect">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br clear="none">Documentation: <a shape="rect">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br clear="none">FAQ: <a shape="rect">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br clear="none"><br clear="none"></div><br><br></div> </div> </div> </div></div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/">https://lists.balabit.hu/</a><wbr>mailman/listinfo/syslog-ng<br>
Documentation: <a href="http://www.balabit.com/">http://www.balabit.com/</a><wbr>support/documentation/?<wbr>product=syslog-ng<br>
FAQ: <a href="http://www.balabit.com/wiki/">http://www.balabit.com/wiki/</a><wbr>syslog-ng-faq<br>
<br>
<br></blockquote></div></div>