Hi, On Thu, Jun 30, 2011 at 10:12 AM, JP Vossen <jp@jpsdomain.org> wrote:
I need to be able to accept TCP/514 and transparently forward it to UDP/514 on the same box. I have a config that almost works, except I'm getting an "extra" time stamp and hostname on the TCP messages.
I'm using Netcat to send: echo "<182>loop_test[$$]: LOOP testing 514 UDP, one ping only..." | nc -u -w1 192.168.1.151 514 echo "<182>loop_test[$$]: LOOP testing 514 TCP, one ping only..." | nc 192.168.1.151 514
I'm getting: <182>loop_test[11061]: LOOP testing 514 UDP, one ping only... <182>Jun 30 01:48:36 192.168.1.10 loop_test[11061]: LOOP testing 514 TCP, one ping only...
this is expected behaviour
I want: <182>loop_test[11061]: LOOP testing 514 UDP, one ping only... <182>loop_test[11061]: LOOP testing 514 TCP, one ping only...
syslog-ng could beoverkill for such a purpose, writing a few lines of perl code could be easier...
If I send the messages into syslog-ng or rsyslog, I get the correct data with no "extra" fields in the log file. But unfortunately, I need to send messages into another proprietary syslog listener, and in that one I'm getting the extra fields. I'd blame the whole mess on that, except that when I do a packet dump I do see the 2 extra fields in there. So I *think* that syslog-ng and rsyslog are smart enough to handle them and my other thing isn't.
syslog-ng adds the timestamp and hostname fields by default. Many people think that syslog daemons should accept random junk, but the syslog daemon shouldn't be treated like a plain transport mechanism. There are RFCs describing the syslog formats and the daemons should enforce the standards.
As I said, my goal is to receive TCP/514 and **transparently** forward logs with no changes, as if they came in via UDP, to the localhost via UDP/514. In other words, I'm using syslog-ng as a shim to feed syslog over TCP to a listener which only listens on UDP.
Why doesn't it work? What totally obvious thing am I missing? Am I doing anything else dumb?
Your incoming logs aren't properly formatted syslog messages so syslog-ng has to guess which fields are present and which are missing and adds the required fields. If you don't want this then tell syslog-ng to don't parse the logs and then just use a custom template, something like this: source s_tcpincoming { tcp( ip(0.0.0.0) port(514) max_connections(1000) keep_timestamp(no) keep_hostname(no) flags(no-parse) ); }; destination d_fe_tcp { udp( "127.0.0.2" port(514) spoof_source(yes) template("${MESSAGE}\n") ); }; log { source(s_tcpincoming); # With no "filter" we get everything, which is what we want destination(d_fe_tcp); }; hth, Sandor