Hi, I tried to rewrite PRI but the macro is not writable: Mar 09 11:27:31 localhost syslog-ng[31986]: Error parsing rewrite expression, PRI is read-only, it cannot be changed in rewrite rules in /etc/syslog-ng/syslog-ng.conf: Mar 09 11:27:31 localhost syslog-ng[31986]: 359 }; Mar 09 11:27:31 localhost syslog-ng[31986]: 360 # end of localFile: netconf-commands Mar 09 11:27:31 localhost syslog-ng[31986]: 361 Mar 09 11:27:31 localhost syslog-ng[31986]: 362 Mar 09 11:27:31 localhost syslog-ng[31986]: 363 # remote: test Mar 09 11:27:31 localhost syslog-ng[31986]: 364---> rewrite r_pri{set("189", value("PRI"));}; Mar 09 11:27:31 localhost syslog-ng[31986]: 364---> ^ Mar 09 11:27:31 localhost syslog-ng[31986]: 365 destination d_test_udp { Mar 09 11:27:31 localhost syslog-ng[31986]: 366 syslog("192.168.122.1" transport("udp") ip-protocol(4) port(514) Mar 09 11:27:31 localhost syslog-ng[31986]: 367 suppress(5) Mar 09 11:27:31 localhost syslog-ng[31986]: 368 disk-buffer( Mar 09 11:27:31 localhost syslog-ng[31986]: 369 mem-buf-size(2097152) I tried to use the following configuration to make a facility override local0 -> local7: # remote: test template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if ('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if ('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1' '<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' == '') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}"); }; destination d_test_udp { network("192.168.122.1" transport("udp") ip-protocol(4) port(514) template ("t_test") ); }; filter f_remote_test_udp_local0 { facility(local0) and level(debug .. emerg); }; log { source(s_src); filter(f_remote_test_udp_local0); destination(d_test_udp); flags(flow-control); }; # end of remote server: test The problem is that I get a double header in the syslog server: Mar 9 11:41:52 127.0.0.1 root[31353] <190>1 2020-03-09T11:41:52+00:00 127.0.0.1 root 31353 - - This is a Test 6 Mar 9 11:41:53 127.0.0.1 root[31404] <190>1 2020-03-09T11:41:53+00:00 127.0.0.1 root 31404 - - This is a Test 7 Mar 9 11:41:53 127.0.0.1 root[31448] <190>1 2020-03-09T11:41:53+00:00 127.0.0.1 root 31448 - - This is a Test 8 Mar 9 11:41:54 127.0.0.1 root[31449] <190>1 2020-03-09T11:41:54+00:00 127.0.0.1 root 31449 - - This is a Test 9 Mar 9 11:41:54 127.0.0.1 root[31468] <190>1 2020-03-09T11:41:54+00:00 127.0.0.1 root 31468 - - This is a Test 10 Mar 9 11:41:55 127.0.0.1 root[31485] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31485 - - This is a Test 11 Mar 9 11:41:55 127.0.0.1 root[31526] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31526 - - This is a Test 12 Mar 9 11:41:55 127.0.0.1 root[31567] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31567 - - This is a Test 13 Can you help me? Thanks and regards, Alex On Mon, Jan 20, 2020 at 07:49 AM Attila Szakacs (aszakacs) < Attila.Szakacs@oneidentity.com> wrote:
Hi Alex,
I think ${PRI} does exactly that.
PRI Description: The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.
Regards, Attila ________________________________ From: syslog-ng <syslog-ng-bounces at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com <https://lists.balabit.hu/mailman/listinfo/syslog-ng>> Sent: Friday, January 17, 2020 7:56 PM To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>> Subject: [syslog-ng] facility override
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
Is there a way of overriding the facility of the messages on the destination, besides using a template like: { template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4` ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };
Thanks in advance, Alex