On Mon, Oct 25, 2010 at 07:31:00PM -0400, Worsham, Michael wrote:
How do I satisfy each requirement:
1) Allow the incoming data stream to be saved in a format based on the incoming sender's hostname for the directory structure (ex: "/var/log/syslog/general/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log")?
2) Allow the IP address of the sender to be seen in the actual data file once saved to the DCS server (ex: "Oct 25 18:51:12 10.153.13.70 <syslog.err>...")?
3) Is there an option to have the incoming sender's data saved with both the hostname and IP address in the same header format (ex: "Oct 25 18:51:12 CH33Test-WebCO 10.153.13.70 <syslog.err>...")?
I think your best bet would be something like setting it up to receive the messages on the port the servers are logging onto using a log source which has flags(final). Then you will send the messages back to yourself. Using TCP, UDP, UNIX, or pipe would work for this part. To do this you will configure a destination, which is used to relay the messages as they come in from the servers, and a source which is used to allow syslog-ng another chance to process the messages. 1) one socket which is set with flags to use DNS for local storage 2) one socket which is set with flags to use IPs for Tripwire That way you could apply different properties to each socket. You will probably need to experiment with the template used for relaying the messages from yourself to yourself to be sure nothing weird gets added when they are reforwarded back to you. For this part, using a UDP 127.0.0.1 socket might be helpful at first because you can spy on the traffic using wireshark / tshark / tcpdump along with "udp port XXXX" filter to be sure everything looks like it should.
-- Michael
HTH, Matthew Hall.