On Wed, 2009-08-12 at 14:24 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi Bazsi,
I want to send all the log messages from client machine to server mahine in the same file. I have installed the syslog-ng client on client machine and syslog-ng server on server. I am passing the source file name with the log message using FILE_NAME and template. And I am receiveing the log message on server side. And using match macro I am pushing log messages in the file name present in the log message. But now on the server side the log message is actual mesg + file name.so I want to delete the file name from the received mesg. So that the received mesg would be same as original messsge. The use of file name in the message is only to detemine the source file name. So that I can push the log in the same file in the server side. ( basically same file name replica on cline side and server side )
Example =>
Clinet = org mesg + file name | | Server side = extract / mactch the file name from the received mesg and push the original mesg in that log file with out file name in the mesg content
Let me know how to remove the filename string from the received mesg so that I can get the actual mesg?
Well, this is certainly possible, but I'd like to raise one possible security issue with your configuration: you use the contents of the log message to generate a filename. Are you sure that you constrain these filenames to a sensible name on the server host? e.g what happens if you receive /etc/passwd as the source filename, are you going to overwrite /etc/passwd? Other than that you can remove the filename information by using a rewrite rule on the server side: rewrite xxx { subst("^[0-9a-zA-Z/_]+: (.*$)", "$1")); }; this is untested and I assume here that the message begins with the filename and a filename contains "a-zA-Z0-9/_" characters. -- Bazsi