<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Thanks for the information.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
There is no configuration option to disable automatic sequenceID generation into SDATA or to disable using SDATA when syslog() destination or the "syslog-protocol" flag is used.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
In case of local sources, like file(), unix-dgram() or the system() source (except where systemd is used) the sequenceID is automatically added, as stated before.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
I've checked for workarounds, but haven't found a good one:<br>
<ul>
<li>unset() rewrite rule won't work, as in this case the sequenceID is generated on destination side,</li><li>using a custom RFC5424-like template(), where the SDATA is replaced with a literal "-" won't work either, as in case of syslog() or network(... flags(syslog-protocol)), the "frame" of RFC5424 is automatically<br>
added to the outgoing message.<br>
</li></ul>
<div>The only way this can be done if a simple TCP destination is used, with the above mentioned custom RFC5424-like template, but the source on the server side has to be changed to a simple TCP source as well.</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">I've found some discussion about the future of SEQNUM, which is slightly connected to this:</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<a href="https://github.com/syslog-ng/syslog-ng/issues/2152" id="LPNoLP934540">https://github.com/syslog-ng/syslog-ng/issues/2152</a><br>
> 3. <span style="color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-align: left; background-color: rgb(255, 255, 255); display: inline !important">drop
SEQNUM support, as noone cares. Be able to extract it from log messages, but leave it in a name-value pair (e.g. .cisco.seq_num), and nothing else. Never generate it on output.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Just out of interest, can you explain to me what kind of problem is caused by sequenceId on server side?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Maybe we can filter, or opt out the sequenceId on the server side (as syslog() source on the server side will parse it, there it can be removed with a rewrite rule).</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Regards,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Gabor</div>
<br>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Debjyoti Mukherjee <debmukhra@gmail.com><br>
<b>Sent:</b> Friday, November 29, 2019 11:30<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] Structure data set to "-"</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">Configuration is simple with default config only I have added a destination syslog () to send to UDP remote host listening on 514 port</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Wed, Nov 27, 2019 at 7:11 PM Gabor Nagy (gnagy) <<a href="mailto:Gabor.Nagy@oneidentity.com">Gabor.Nagy@oneidentity.com</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
Hello,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
Syslog-ng does not always put the sequenceId into SDATA, for example logs from a local file will have a seqnum and when forwarded it will have this SDATA field.<br>
More info about this can be found under SEQNUM macro in our admin guide:<br>
<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F63%23TOPIC-1298112&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507915178&sdata=iwziFWST8r6l6AE346sbA6o%2FRjmxiemwA3fACrrda8c%3D&reserved=0" originalsrc="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/63#TOPIC-1298112" shash="tsTCb91eAb+Xq+x1iq9vGDVZFpWfi4Pz8SsEt9nLKWNs6ZJ0Wa8gyvOnwHwiAQQkwMBt+VusIHvTIeO6rkBdsoLDm6sbGmvuOCZhm6kIBJZdo+URiJZx+JHT/OPwyMn9vulskYIyQd2l580dRr5Gyt1D4sx0Ba7qqcAVtPToo/s=" id="x_gmail-m_3470920806590748091LPNoLP630292" target="_blank">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/63#TOPIC-1298112</a><br>
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
Well, I don't know a quick solution (e.g. a config option to disable this), I'll try to help you.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt">Can you share your configuration, please?</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt"><br>
Regards,<br>
Gabor</span></div>
<div id="x_gmail-m_3470920806590748091appendonsend"></div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_3470920806590748091divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Debjyoti Mukherjee <<a href="mailto:debmukhra@gmail.com" target="_blank">debmukhra@gmail.com</a>><br>
<b>Sent:</b> Tuesday, November 26, 2019 16:17<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] Structure data set to "-"</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(255,235,156); width:100%; border-style:solid; border-color:rgb(156,101,0); border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:Calibri; color:black; text-align:left">
<span style="color:rgb(156,101,0); font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">Hello
<div><br>
</div>
<div>Trying to send logs to remote syslog server in RFC 5424 format. The STRUCTURE_DATA should be set to "-".</div>
<div><br>
</div>
<div>What is the way to the this value to "-"</div>
<div><br>
</div>
<div>Currently it is coming as [meta sequenceId="21"]. I am using Openwrt and the syslog version is 3.24</div>
<div><br>
</div>
<div>Thank you</div>
</div>
</div>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=vPpAAE9LuenQ2WmwhfcijUoNgxSlWAIT5qahMA5ycgQ%3D&reserved=0" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="O5i9AeJIm+cgY/g08NhVwO24dZTITNBhfRafhH7sUYMAceAvfcKjT7gxxMxy5ykslM60wAU8H12hHKEwlbfj3mG7T9SQtldAYxI0boGbHl8jO4P112kN/8ZINJr8wGLGShf0uGlfvF3er1tWfU+0G1vjpebzJtMsF/1TTXmLErA=" rel="noreferrer" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=ePekEu%2BTh7n7w36V69NmI%2BE%2FDwDfqfi51ZTsKFYjg3I%3D&reserved=0" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="mdUvFYNWTRWOIinIK3GNClMqVOynIJpP2XByomLPFtVlN2NghQ/4kqj/SIHnz2mPBUtYCrX55fgZ18q3r0cjxfcB/HaOC6hoCPa1gpqnj8oLznDNZor6dKcB2h8pzpRDVmXJirLPIwbexxLtpMmA+h29PSnqXrCuWxH+HoGVpaA=" rel="noreferrer" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507935164&sdata=HnKbecsXh%2FOo93HooesTjCG8PgpJWcNr%2FoXPsMuTghI%3D&reserved=0" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="E6/REmi6MWKrxT7gP8x2XRJ1e8Z0NgIpFKzJ0bnWp/CP3y8Iln+4Y925d4IBFn5qYeW4mIXhEoLedqWTq1lWqdswVaLgYF2vglbYA6fbLKLkYL477wFP6hoMTmY1hiSjVEyuTCd3H5FNO6KnRAy3Uw59f1pnRVEWhV0SHZ/vUw4=" rel="noreferrer" target="_blank">
http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
</body>
</html>