Hi!
I am trying to work out if syslog-ng can act as a relay without doing "noticeable" changes to the syslog message in terms of what the syslog server sees.
The problem:
1) The device sends non-standard syslog messages
That might be a problem. You should try using the flags(no-parse); option in your source definition, however if you want to use macros then you'll be in trouble
2) The syslog needs to go to 2 end systems, the device supports 1
shouldn't be a problem
3) One of the end devices needs to receive the syslog in exactly the same for as originally sent by the device
might be tricky...
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions: destination d_remote_one { ... }; destination d_remote_two { ... }; and later log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
I have also tried various combinations having "template" and adding FACILITY and LEVEL, but I am current failing to reproduce the original packet.
My results:
Template Result ========================================== None Relayed message has standard date and hostname added which weren't in original package.
that might happen even when you disable parsing of the message
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as they don't appear to go into the right fields, and syslog-ng appears to put KERN.EMERG in instead...
The first part of the message defines the facility/priority. Using macros you should use <$M_PRI> , however this depends on the parsing of the message... I think the really authorative answer to your questions might come from Bazsi, so you should wait for his answer :) Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.