Thanks for the information. I have another issue that has come up relating to the PROGRAM macro.

When I configure it like this, the PROGRAM macro works properly and gets the proper tag from the client:

source s_syslog-ports {

# Configure the network() driver for receiving RFC3164 logs

network(transport("udp") ip(10.25.10.52) port(514));

network(transport("tcp") ip(10.25.10.52) port(514) max-connections(100));

network(transport("tcp") ip(10.25.10.52) port(1514) max-connections(100));

};

filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt", value("SOURCEIP")); };

destination d_Linux-centos {file("/var/log/IT/server/Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log" template(t_message-only));};

log {source(s_syslog-ports); filter(f_Linux-centos); destination(d_Linux-centos);};

Then, when I change the configuration to this, the PROGRAM macro no longer gets the same proper tag value from the client:

source s_syslog-ports {

# Configure the network() driver for receiving RFC3164 logs

network(transport("udp") ip(10.25.10.52) port(514));

network(transport("tcp") ip(10.25.10.52) port(514) max-connections(100));

network(transport("tcp") ip(10.25.10.52) port(1514) max-connections(100) flags(no-parse));

};

filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt", value("SOURCEIP")); };

destination d_Linux-centos {file("/var/log/IT/server/Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log" template(t_message-only));};

log {source(s_syslog-ports); junction { channel { filter(f_Linux-centos); parser { syslog-parser(); }; flags(final); }; }; destination(d_Linux-centos);};

Is there a way to configure the no-parse and junction option while still getting the correct PROGRAM macro data?

Thanks.

On Wednesday, February 22, 2017 8:04 AM, "Fekete, Róbert" <robert.fekete@balabit.com> wrote:

Hi,

To achieve something like that, you have to use junctions.

You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse.

For details, see the 8.3 example at https://www.balabit.com/ documents/syslog-ng-ose- latest-guides/en/syslog-ng- ose-guide-admin/html/ junctions.html and https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/parser-syslog.html

HTH,

Robert

On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <syslog-ng@balabit.com> wrote:

Is it possible to configure multiple sources, one with flags(no-parse) and one without?

e.g.

source s_syslog-ports {

        udp(port(514));

        tcp(port(1514) max-connections(100));

        tcp(port(514) max-connections(100));

};

source s_syslog_np-ports {

        udp(port(514) flags(no-parse));

        tcp(port(1514) max-connections(100) flags(no-parse));

        tcp(port(514) max-connections(100) flags(no-parse));

};

filter f_Cisco-router { in-list("/etc/syslog-ng/ filter/Cisco-router.txt", value("SOURCEIP")); };

destination d_Cisco-router {file("/var/log/IT/network/ router/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};

log {source(s_syslog-ports); filter(f_Cisco-router); destination(d_Cisco-router);};

filter f_Cisco-switch { in-list("/etc/syslog-ng/ filter/Cisco-switch.txt", value("SOURCEIP")); };

destination d_Cisco-switch {file("/var/log/IT/network/ switch/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};

log {source(s_syslog_np-ports); filter(f_Cisco-switch); destination(d_Cisco-switch);};

Whenever I do this, I get an error message when restarting the service.

“Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.”

“Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”

______________________________ ______________________________ __________________
Member info: https://lists.balabit.hu/ mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/ support/documentation/? product=syslog-ng
FAQ: http://www.balabit.com/wiki/ syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq