Hi, Got the problem

I was missing a "\n" at the end of the template:

template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if ('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if ('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1' '<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' == '') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}\n"); };

Cheers,
Alex

On Mon, Mar 9, 2020 at 12:41 PM Alexandre Santos <alexandre.rosas.santos@gmail.com> wrote:

Hi,

I tried to rewrite PRI but the macro is not writable:
Mar 09 11:27:31 localhost syslog-ng[31986]: Error parsing rewrite expression, PRI is read-only, it cannot be changed in rewrite rules in /etc/syslog-ng/syslog-ng.conf:
Mar 09 11:27:31 localhost syslog-ng[31986]: 359     };
Mar 09 11:27:31 localhost syslog-ng[31986]: 360     # end of localFile: netconf-commands
Mar 09 11:27:31 localhost syslog-ng[31986]: 361
Mar 09 11:27:31 localhost syslog-ng[31986]: 362
Mar 09 11:27:31 localhost syslog-ng[31986]: 363     # remote: test
Mar 09 11:27:31 localhost syslog-ng[31986]: 364---> rewrite r_pri{set("189", value("PRI"));};
Mar 09 11:27:31 localhost syslog-ng[31986]: 364--->                                     ^
Mar 09 11:27:31 localhost syslog-ng[31986]: 365     destination d_test_udp {
Mar 09 11:27:31 localhost syslog-ng[31986]: 366         syslog("192.168.122.1" transport("udp") ip-protocol(4) port(514)
Mar 09 11:27:31 localhost syslog-ng[31986]: 367             suppress(5)
Mar 09 11:27:31 localhost syslog-ng[31986]: 368             disk-buffer(
Mar 09 11:27:31 localhost syslog-ng[31986]: 369                 mem-buf-size(2097152)

I tried to use the following configuration to make a facility override local0 -> local7:

# remote: test
template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if ('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if ('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1' '<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' == '') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}"); };
destination d_test_udp {
    network("192.168.122.1" transport("udp") ip-protocol(4) port(514)
        template ("t_test")
    );
};
filter f_remote_test_udp_local0 {
    facility(local0) and level(debug .. emerg);
};
log {
    source(s_src);
    filter(f_remote_test_udp_local0);
    destination(d_test_udp);
    flags(flow-control);
};
# end of remote server: test

The problem is that I get a double header in the syslog server:
Mar  9 11:41:52 127.0.0.1 root[31353] <190>1 2020-03-09T11:41:52+00:00 127.0.0.1 root 31353 - - This is a Test 6
Mar  9 11:41:53 127.0.0.1 root[31404] <190>1 2020-03-09T11:41:53+00:00 127.0.0.1 root 31404 - - This is a Test 7
Mar  9 11:41:53 127.0.0.1 root[31448] <190>1 2020-03-09T11:41:53+00:00 127.0.0.1 root 31448 - - This is a Test 8
Mar  9 11:41:54 127.0.0.1 root[31449] <190>1 2020-03-09T11:41:54+00:00 127.0.0.1 root 31449 - - This is a Test 9
Mar  9 11:41:54 127.0.0.1 root[31468] <190>1 2020-03-09T11:41:54+00:00 127.0.0.1 root 31468 - - This is a Test 10
Mar  9 11:41:55 127.0.0.1 root[31485] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31485 - - This is a Test 11
Mar  9 11:41:55 127.0.0.1 root[31526] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31526 - - This is a Test 12
Mar  9 11:41:55 127.0.0.1 root[31567] <190>1 2020-03-09T11:41:55+00:00 127.0.0.1 root 31567 - - This is a Test 13

Can you help me?

Thanks and regards,
Alex


On Mon, Jan 20, 2020 at 07:49 AM Attila Szakacs (aszakacs)  <Attila.Szakacs@oneidentity.com> wrote:
Hi Alex,

I think ${PRI} does exactly that.

PRI
Description: The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.

Regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com>
Sent: Friday, January 17, 2020 7:56 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] facility override

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

Is there a way of overriding the facility of the messages on the destination, besides using a template like:
{ template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4` ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };

Thanks in advance,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200120/7576c3cb/attachment.html>

On Fri, Jan 17, 2020 at 6:56 PM Alexandre Santos <alexandre.rosas.santos@gmail.com> wrote:
Hi,

Is there a way of overriding the facility of the messages on the destination, besides using a template like:
{ template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4` ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };

Thanks in advance,
Alex