<html><head></head><body><div class="ydp23375974yahoo-style-wrap" style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Double checking; is the list dead? I did not receive a bounce.<br></div><div><br></div>
</div><div id="ydp820bbfa3yahoo_quoted_1331404169" class="ydp820bbfa3yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, July 29, 2023 at 11:06:28 PM GMT+9, Greg Christopher <gregory_christopher@yahoo.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydp820bbfa3yiv5537325767"><div><div style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:13px;" class="ydp820bbfa3yiv5537325767ydpb098769yahoo-style-wrap"><div id="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568"><div><div style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:13px;" class="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568yahoo-style-wrap"><div dir="ltr"><font face="Helvetica Neue, Helvetica, Arial, sans-serif">Hi All,<br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> Did my best (about a week effort) to find this information online and apologize if it's obvious.<br><br> I am trying to use syslog-ng as a client to send messages to a syslog compliant server with the proper severity and facility set. I am starting with plain-text log files.<br></font></div><div dir="ltr"><font face="Helvetica Neue, Helvetica, Arial, sans-serif"><br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> The <a href="https://www.rfc-editor.org/rfc/rfc5424" class="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568" rel="nofollow" target="_blank">syslog rfc</a> as well as the <a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/8" class="ydp820bbfa3yiv5537325767" rel="nofollow" target="_blank">syslog-ng documentation</a> are pretty clear about the syslog message format itself.</font></div><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"><br></font></div><div dir="ltr"><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> There are even syslog-ng functions to <a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.36/administration-guide/77#TOPIC-1768796" class="ydp820bbfa3yiv5537325767" rel="nofollow" target="_blank">substitute severity and facility</a> using a function called "rewrite". But this doesn't seem to work if you are starting with a regular application log. In other words, there is nothing to "rewrite" since this header was never there to begin with.<br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> Although I initially configured my application log with <span><b>flags(no-parse)</b></span> , I attempted to remove it so that my rewrite attempt would at least have a facility and severity to "rewrite", but this also seems to have failed.</font></div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"><br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> Next I attempted prepending "<81>" (8*10 + 1) to the application messages to get the right priority field but this failed to change what the syslog-ng server on the other end received, as I have modified its output to include severity and facility:</font></div><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif">---<br></font></div><div dir="ltr">destination d_local {<br> file("/var/log/syslog-ng/$HOST" template("Fac: $FACILITY Pri: $PRIORITY $ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));<br>};<br><font face="Helvetica Neue, Helvetica, Arial, sans-serif">---<br></font><div dir="ltr"><font face="Helvetica Neue, Helvetica, Arial, sans-serif"> It does seem to be working properly but the above two approaches to increasing the severity and noting this is a security facility message failed.<br><br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif">So it seems this use case where we create syslog entries from scratch sort of throws a curve ball at syslog-ng clients, at least from what I can figure.<br><br>Any help on how I can set these manually into the destination would be greatly appreciated.<br><br></font><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif">Here is my syslog-ng.conf at the moment; note I pull log file name out of environment variable:</font></div></div><div>---<br></div><div dir="ltr"><div>@version: 4.1<br><br># Configure the source to read from the messages log file<br># no-parse means whole line becomes "message" portion.<br># Template should indicate security alert to syslog daemon<br>source s_APP_LOG {<br> file(`APP_LOG`);<br># file(`APP_LOG` flags(no-parse));<br><br>};<br><br>rewrite set_pri_fields {<br> set-severity("alert");<br> set-facility("security");<br>};<br><br><br>destination d_destination {<br> syslog(`syslogServer`);<br>};<br><br><br><br># Configure the log statement to route messages from the application log file to<br># the syslog server specified on the command line<br><br>log {<br> source(s_APP_LOG);<br> rewrite(set_pri_fields);<br> destination(d_destination);<br>};</div><div><br></div></div><div><font face="Helvetica Neue, Helvetica, Arial, sans-serif">---</font></div><div dir="ltr"><font face="Helvetica Neue, Helvetica, Arial, sans-serif">Greg<br></font></div><font face="Helvetica Neue, Helvetica, Arial, sans-serif"></font></div></div><div><br></div></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div><br></div> <div><br></div><div><br></div></div></div></div></div></div></div></div></div></div>
</div>
</div></body></html>