<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div class="moz-cite-prefix">Hello,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I must admit I'm not sure that I understood everything you wrote. So, without knowing what you mean by a regular application log (which is kind of ambigous as even a single event could get splitted into hundreds of lines especially
when it comes to backtraces) assuming one unstructured/ unformatted thus random line representing an event the worst-case scenario isusing the no-parse flag to read the entire line into the $MESSAGE macro and build an rfc5424-complant message using a template
like this:<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">"<81>1 $ISODATE $HOST fakeapplication fakeprocessid fakemsgid - $MESSAGE\n"</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">obviously nobody likes when the timestamp doesn't match the date when the actual event happened but when the log processor ingested it (logstash @timestamp and syslog output plugin I'm looking at you!)<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">So if the input contain somewhat syslog-looking messages (contains a timestamp, application name, etc.) then you can experiment with syslog-parser(). The last resort would be writing a custom parser.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Without seeing an actual log message and a decoded packet reaching the syslog server how it was transformed by the client I can't help.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Note that syslog-ng internally defines the facility names so "security" is facility 13 so the expected priority should be between 104 and 111, "authpriv" has facility code 10. This is documented in the OSE admin guide, not just
in lib/syslog-names.c<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Regards,</div>
<div class="moz-cite-prefix">Sandor<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023. 08. 01. 1:09, Greg Christopher wrote:<br>
</div>
<blockquote type="cite" cite="mid:1120315795.213863.1690844981439@mail.yahoo.com">
<div class="ydp23375974yahoo-style-wrap" style="font-family:courier new, courier, monaco, monospace,
sans-serif;font-size:13px;">
<div dir="ltr" data-setdir="false">Double checking; is the list dead? I did not receive a bounce.<br>
</div>
<div><br>
</div>
</div>
<div id="ydp820bbfa3yahoo_quoted_1331404169" class="ydp820bbfa3yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial,
sans-serif;font-size:13px;color:#26282a;">
<div>On Saturday, July 29, 2023 at 11:06:28 PM GMT+9, Greg Christopher <a class="moz-txt-link-rfc2396E" href="mailto:gregory_christopher@yahoo.com">
<gregory_christopher@yahoo.com></a> wrote: </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="ydp820bbfa3yiv5537325767">
<div>
<div style="font-family:courier new, courier, monaco,
monospace, sans-serif;font-size:13px;" class="ydp820bbfa3yiv5537325767ydpb098769yahoo-style-wrap">
<div id="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568">
<div>
<div style="font-family:courier new, courier,
monaco, monospace, sans-serif;font-size:13px;" class="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568yahoo-style-wrap">
<div dir="ltr"><font face="Helvetica Neue,
Helvetica, Arial, sans-serif">Hi All,<br>
</font>
<div><font face="Helvetica Neue, Helvetica,
Arial, sans-serif"> Did my best (about a week effort) to find this information online and apologize if it's obvious.<br>
<br>
I am trying to use syslog-ng as a client to send messages to a syslog compliant server with the proper severity and facility set. I am starting with plain-text log files.<br>
</font></div>
<div dir="ltr"><font face="Helvetica Neue,
Helvetica, Arial, sans-serif"><br>
</font>
<div><font face="Helvetica Neue, Helvetica,
Arial, sans-serif"> The
<a href="https://www.rfc-editor.org/rfc/rfc5424" class="ydp820bbfa3yiv5537325767ydpb098769yiv0328036568" rel="nofollow" target="_blank" moz-do-not-send="true">
syslog rfc</a> as well as the <a href="https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4879cd1edfcd8661&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.18%2Fadministration-guide%2F8" class="ydp820bbfa3yiv5537325767" rel="nofollow" target="_blank" moz-do-not-send="true">
syslog-ng documentation</a> are pretty clear about the syslog message format itself.</font></div>
<div><font face="Helvetica Neue, Helvetica,
Arial, sans-serif"><br>
</font></div>
<div dir="ltr"><font face="Helvetica Neue,
Helvetica, Arial, sans-serif"> There are even syslog-ng functions to
<a href="https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-39073d966e982428&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.36%2Fadministration-guide%2F77%23TOPIC-1768796" class="ydp820bbfa3yiv5537325767" rel="nofollow" target="_blank" moz-do-not-send="true">
substitute severity and facility</a> using a function called "rewrite". But this doesn't seem to work if you are starting with a regular application log. In other words, there is nothing to "rewrite" since this header was never there to begin with.<br>
</font>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif"> Although I initially configured my application log with
<span><b>flags(no-parse)</b></span> , I attempted to remove it so that my rewrite attempt would at least have a facility and severity to "rewrite", but this also seems to have failed.</font></div>
<font face="Helvetica Neue, Helvetica,
Arial, sans-serif"><br>
</font>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif"> Next I attempted prepending "<81>" (8*10 + 1) to the application messages to get the right priority field but this failed to change what the syslog-ng server
on the other end received, as I have modified its output to include severity and facility:</font></div>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif">---<br>
</font></div>
<div dir="ltr">destination d_local {<br>
file("/var/log/syslog-ng/$HOST" template("Fac: $FACILITY Pri: $PRIORITY $ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));<br>
};<br>
<font face="Helvetica Neue, Helvetica,
Arial, sans-serif">---<br>
</font>
<div dir="ltr"><font face="Helvetica
Neue, Helvetica, Arial, sans-serif"> It does seem to be working properly but the above two approaches to increasing the severity and noting this is a security facility message failed.<br>
<br>
</font>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif">So it seems this use case where we create syslog entries from scratch sort of throws a curve ball at syslog-ng clients, at least from what I can figure.<br>
<br>
Any help on how I can set these manually into the destination would be greatly appreciated.<br>
<br>
</font>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif">Here is my syslog-ng.conf at the moment; note I pull log file name out of environment variable:</font></div>
</div>
<div>---<br>
</div>
<div dir="ltr">
<div>@version: 4.1<br>
<br>
# Configure the source to read from the messages log file<br>
# no-parse means whole line becomes "message" portion.<br>
# Template should indicate security alert to syslog daemon<br>
source s_APP_LOG {<br>
file(`APP_LOG`);<br>
# file(`APP_LOG` flags(no-parse));<br>
<br>
};<br>
<br>
rewrite set_pri_fields {<br>
set-severity("alert");<br>
set-facility("security");<br>
};<br>
<br>
<br>
destination d_destination {<br>
syslog(`syslogServer`);<br>
};<br>
<br>
<br>
<br>
# Configure the log statement to route messages from the application log file to<br>
# the syslog server specified on the command line<br>
<br>
log {<br>
source(s_APP_LOG);<br>
rewrite(set_pri_fields);<br>
destination(d_destination);<br>
};</div>
<div><br>
</div>
</div>
<div><font face="Helvetica Neue,
Helvetica, Arial, sans-serif">---</font></div>
<div dir="ltr"><font face="Helvetica
Neue, Helvetica, Arial,
sans-serif">Greg<br>
</font></div>
</div>
</div>
<div><br>
</div>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-72681b0c6466e37f&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng">https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-72681b0c6466e37f&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-495b5472c8de2e06&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng">https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-495b5472c8de2e06&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c93a94005a04ead7&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq">https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c93a94005a04ead7&q=1&e=290c4c0e-1f5b-482c-8902-b0c3bc63b102&u=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>