<div dir="auto">If you supply the template() option on the first server, that change the format the protocol expects. So you need to use the standard template and then reformat it to your needs on the 2nd, by using template there.<div dir="auto"><br></div><div dir="auto">The reason the $program captured the severity value as you were using $SEVERITY in the position where the normal syslog format expects the program name.</div><div dir="auto"><br></div><div dir="auto">The syslog-ng() driver Fabien mentioned requires you to include scl.conf which is the syslog-ng configuration library.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 12, 2024, 07:43 Maurya, Shivani <<a href="mailto:shivani.maurya@intel.com">shivani.maurya@intel.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for the response. <br>
<br>
The format mentioned in the admin guide for 1st syslog server is resulting in failure of syslog-ng service, hence I modified it to make sure the syslog-ng service starts. <br>
On the 1st syslog server, I added the syslog destination as -<br>
<br>
destination d_ewmm {<br>
syslog("secondary_IP");<br>
};<br>
<br>
On 2nd syslog server, default-network-drivers(); option is not working. Hence, I am trying to capture the syslog messages like - <br>
<br>
source src {<br>
network(transport(udp) ip(secondary_IP) port(514));<br>
<br>
};<br>
<br>
But the issue still persists, no change in the message format. <br>
<br>
Regards,<br>
Shivani Maurya<br>
<br>
-----Original Message-----<br>
From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>> On Behalf Of Fabien Wernli<br>
Sent: Wednesday, December 11, 2024 8:10 PM<br>
To: Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
Subject: Re: [syslog-ng] Syslog server chaining issue<br>
<br>
Hi,<br>
<br>
On 2024-12-11 12:47:29, Maurya, Shivani wrote:<br>
> Hi All,<br>
> <br>
> I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server.<br>
> <br>
> Device --> Syslog Server 1 --> Syslog Server 2<br>
<br>
I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng.<br>
<br>
<a href="https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages" rel="noreferrer noreferrer" target="_blank">https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages</a><br>
<a href="https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README" rel="noreferrer noreferrer" target="_blank">https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README</a><br>
<a href="https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README" rel="noreferrer noreferrer" target="_blank">https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>