Try using something like this in your configuration file. It is working for me and I was having the same issue. @version:3.2 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { flush_lines(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); use_dns(no); use_fqdn(no); create_dirs(no); keep_hostname(yes); chain_hostnames(no); }; source s_syslog_in { # udp(ip(IP ADDRESS TO LISTEN ON. 0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON)); udp(ip(0.0.0.0) port(514) flags(no-parse)); }; template t_log_template { template("Message Received: BSDTAG => $BSDTAG, DATE => $DATE, DAY => $DAY, FACILITY => $FACILITY, FACILITY_NUM => $FACILITY_NUM, FULLDATE => $FULLDATE, FULLHOST => $FULLHOST, FULLHOST_FROM => $FULLHOST_FROM, HOUR => $HOUR, HOST => $HOST, HOST_FROM => $HOST_FROM, ISODATE => $ISODATE, LEVEL_NUM => $LEVEL_NUM, MIN => $MIN, MONTH => $MONTH, MONTH_ABBREV => $MONTH_ABBREV, MONTH_NAME => $MONTH_NAME, MONTH_WEEK => $MONTH_WEEK, MSG => $MSG, MSGHDR => $MSGHDR, MSGID => $MSGID, MSGONLY => $MSGONLY, PID => $PID, PRI => $PRI, PRIORITY => $PRIORITY, PROGRAM => $PROGRAM, SDATA => $SDATA, SEC => $SEC, SEQNUM => $SEQNUM, SOURCEIP => $SOURCEIP, STAMP => $STAMP, TAG => $TAG, TAGS => $TAGS, TZ => $TZ, TZOFFSET => $TZOFFSET, UNIXTIME => $UNIXTIME, YEAR => $YEAR, WEEK => $WEEK, WEEK_ABBREV => $WEEK_ABBREV, WEEK_DAY => $WEEK_DAY, WEEKDAY => $WEEKDAY, WEEK_DAY_NAME => $WEEK_DAY_NAME\n\n"); template_escape(no); }; destination d_syslog_file { # copy syslog message to file file("/opt/logs/syslog-ng-$YEAR-$MONTH-$DAY.log" template(t_log_template)); }; log { source(s_syslog_in); destination(d_syslog_file); }; After this runs a few times, look in the log file and see which of the variables (the things in all caps before the "=>" symbols) have the data you need. It will more than likely be in the "$MSG" field, which you can then use in a template to forward the data. As an example, here is what my configuration file looks like: @version:3.2 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { flush_lines(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); use_dns(no); use_fqdn(no); create_dirs(no); keep_hostname(yes); chain_hostnames(no); }; source s_syslog_in { # udp(ip(IP ADDRESS TO LISTEN ON. 0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON)); udp(ip(0.0.0.0) port(514) flags(no-parse)); }; template t_send_syslog_template { template("$MSG"); template_escape(no); }; destination d_syslog_out { # udp("IP ADDRESS/DOMAIN NAME TO SEND TO" port(PORT TO SEND TO) template(TEMPLATE TO USE) spoof-source(YES/NO)); udp("IP ADDRESS/DOMAIN NAME TO SEND TO " port(514) template(t_send_syslog_template) spoof-source(yes)); }; log { source(s_syslog_in); destination(d_syslog_out); }; Thank you! Jason Kojro-Badziak Monolith Software Staff Engineer 311 North 2nd Street, Suite #302 St. Charles, IL 60174 Office: 312-957-6470 x3010 Email: jbadziak@monolith-software.com -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of C. L. Martinez Sent: Wednesday, May 23, 2012 12:53 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] remove header On Tue, May 22, 2012 at 11:25 PM, Richard F. Hart II <richard.hartii@gmail.com> wrote:
I have a juniper srx that is sending its syslogs to a syslog-ng server. Then I am having the syslog-ng server forward those juniper syslog messages to NItroSecurity ESM. However, I am having some difficutly. The syslog-ng server is appending a header to the beginning of the juniper syslog message when it sends it to the NitroSecurity ESM. How can I tell syslog-ng not to append its header to the beginning of the message?
Here is a sample:
<14>May 22 08:31:03 syslog-ng.example.com 2012-05-22T08:28:48.548 Juniper-SRX RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.34 source-address="192.168.1.34" source-port="40944" destination-address="4.2.2.2" destination-port="1984" service-name="None" nat-source-address="192.168.1.34" nat-source-port="40944" nat-destination-address="4.2.2.2" nat-destination-port="1984" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="175008" source-zone-name="legacy" destination-zone-name="t-a" session-id-32="220372159" username="N/A" roles="N/A" packet-incoming-interface="reth4.0"]
How do I stop syslog-ng from appending the underlined section?
Thank you, Richard
What header?? I have a juniper SRX that forwards all logs to a rsyslog instance and log is exactly to this ... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq