I am not 100% sure of this, but I think that the no-parse flag places the line into the message portion and spoofs the all of the prefix elements such as priority, facility, host, and date, but still processes the PROGRAM and the MSG. If you try using a template of templete apache { template("$PROGRAM $MESSAGE\n"); template-escape(no"); }; I think you might have better success. Evan. On 11/12/2015 12:34 AM, Gareth Allen wrote:
Hi all
I'm sending Apache logs to a remote syslog-ng server, but the remote server isn't keeping the message intact.
Source: My Apache log format: LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
What the log looks like: 172.27.15.149 - - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200 3594 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
My syslog-ng configuration: source s_apache { file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse)); };
destination d_apache_tcp { tcp("x.x.x.x" port(514)); };
log { source(s_apache); destination(d_apache_tcp); };
Log server: source s_net { udp(port(514)); tcp(port(514)); };
template apache { template("${MESSAGE}\n"); template-escape(no); };
destination apache { file("/var/log/apachetest" template(apache)); };
What I see in /var/log/apachetest: - - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200 3594 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
As you can see the IP at the beginning of the log entry is being removed. I've tried using $MSG and $MSGONLY.
Any ideas would be greatly appreciated. Gareth