So I have a scenario I am having difficulties with.

 

I have an IDS sensor (suricata), and it is generating a log-file at /log_file_dir/fast.log

 

And I would like to parse this log and send it off to a remote syslog server.

 

I have put the following in my syslog-ng.conf:

 

source s_log_server { file("/log_file_dir/fast.log " program_override("snort")); };

 

added a destination for the remote server:

 

destination d_log_server { udp ("fqdn.of.primary.elsa.box" port(514)); };

 

Then in the log{ section I have put this:

 

Destination (d_log_server);

 

Logs are making it to the remote box, but in an unparsed format…

 

How do I get this to trigger a parser in syslog-ng?

 

Thanks much,

 

 

 

 

 

Jim