On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions:
destination d_remote_one { ... };
destination d_remote_two { ... };
and later
log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
Organizing destinations is a matter of preference, so this is not strictly required.
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as "<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro. Please note that PRIORITY and PRI are not the same. "PRI" denotes the PRI field of the syslog header, which is comprised of a FACILITY and a LEVEL value. PRIORITY is an alias for LEVEL. Sorry for the confusing names. Partly this is caused by compatibility with older versions of syslog-ng. If the incoming message at least resembles to a syslog message (e.g. it has a proper PRI heading), then you could use the template defined above. If it does not, you could still use the no-parse flag for your input, and "$MESSAGE\n" as output template. -- Bazsi