Thank you very much... that works very well indeed... Summary of config: source s_remote { udp(ip(0.0.0.0) port(514) flags(no-parse)); }; destination d_one { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n") template-escape(no)); }; destination d_two { udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n") template-escape(no)); }; log { source(s_local); destination(d_one); destination(d_two) }; I added the template-escape as I found that some " were being escaped - changing the original message slightly. Joel -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: 19 June 2007 12:19 pm To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] syslog-ng as a relay On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions:
destination d_remote_one { ... };
destination d_remote_two { ... };
and later
log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
Organizing destinations is a matter of preference, so this is not strictly required.
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as "<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro. Please note that PRIORITY and PRI are not the same. "PRI" denotes the PRI field of the syslog header, which is comprised of a FACILITY and a LEVEL value. PRIORITY is an alias for LEVEL. Sorry for the confusing names. Partly this is caused by compatibility with older versions of syslog-ng. If the incoming message at least resembles to a syslog message (e.g. it has a proper PRI heading), then you could use the template defined above. If it does not, you could still use the no-parse flag for your input, and "$MESSAGE\n" as output template. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html