On Thu, 2008-11-13 at 21:18 +0100, joël Winteregg wrote:
Hi,
Thanks again for your support.
Juste to know, does syslog-ng only use relay config statements (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
no, keep_hostname is always applied. in 3.0, it is even possible to specify hostname related options on a per-source basis.
Okay, interesting ! You can hardcode (into config file) a given HOST macro value associated to a source config ?
Yes, there are two ways to do this: - host-override(): this is a new option, that let's you specify a fixed hostname for each source, this effectively overrides the hostname parsing routines - rewrite rule that changes the HOST value after parsing The first looks like this: pipe("/tmp/snmptrapd.pipe" host-override("overridden-host")); everything coming from this pipe will use "overridden-host" as hostname. The second one looks like this: rewrite r_host { set("overridden-host" value("HOST")); }; The rewrite rule can even use macros, like this: rewrite r_host { set("${HOST}-append" value("HOST")); }; This will append the string '-append' to the hostname.
I'm asking this, because I'm wondering if I forward my SNMP trap to syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC 3164 forwarded message ?
That wouldn't work. the problem is inherent in the syslog API, it does not let you change the hostname.
Okay, but here, what I wanted to achieve was the following. Log this SNMP message using snmptrapd syslog functionality: "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
The given snmptrapd output message formatting (header): "Nov 12 16:57:59 wlc02.mydomain.com" set before every snmptrapd message is here to provide a RFC 3164 compliant message => this should allow syslog-ng to think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a forwarded syslog message ? If so, this would allow me to fetch "wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?
you misunderstand the relayed message format. the header is not duplicated in case a message is relayed, the format is still the same. e.g. original message looks like this: <7>Nov 12 16:57:59 wlc02.mydomain.com Cold Start Then a relayed message looks the same, except in some cases the relay host mangles the syslog header, and changes the hostname for instance.
The only way to work around that is to have snmptrapd to send its output to syslog-ng directly (and format the message according to the syslog protocol). There are multiple options:
* pipe: make snmptrapd output go to a pipe, and reference this from syslog-ng; writing a pipe is about the same as writing a file, so this would probably work
Ahhh, yeah ! That's much easier than my relayed message style ! If, as I did before, I format snmptrad message as follow (to a named pipe), it should work: "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
yes. you might add a priority field though.
* program source: in 3.0, I introduced program source, which is basically a syslog-ng managed program, whose output is parsed as a syslog message, line by line.
Okay, really interesting too ;-) It reads logs from stdout and stderr of the given program ?
it only fetches the standard output.
Will try this (named pipe stuff) before the csv-parser option. As I'm also interested into csv-parser option I will invest time to try it too. Will let you know about last-column-greedy.
the named pipe should work with any syslog-ng version, csv-parser is added in 3.0. -- Bazsi