Hello,
Juste to know, does syslog-ng only use relay config statements (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
no, keep_hostname is always applied. in 3.0, it is even possible to specify hostname related options on a per-source basis.
Okay, interesting ! You can hardcode (into config file) a given HOST macro value associated to a source config ?
Yes, there are two ways to do this: - host-override(): this is a new option, that let's you specify a fixed hostname for each source, this effectively overrides the hostname parsing routines - rewrite rule that changes the HOST value after parsing
The first looks like this:
pipe("/tmp/snmptrapd.pipe" host-override("overridden-host"));
everything coming from this pipe will use "overridden-host" as hostname.
The second one looks like this:
rewrite r_host { set("overridden-host" value("HOST")); };
The rewrite rule can even use macros, like this:
rewrite r_host { set("${HOST}-append" value("HOST")); };
This will append the string '-append' to the hostname.
Great ! Thanks for the input !
I'm asking this, because I'm wondering if I forward my SNMP trap to syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC 3164 forwarded message ?
That wouldn't work. the problem is inherent in the syslog API, it does not let you change the hostname.
Okay, but here, what I wanted to achieve was the following. Log this SNMP message using snmptrapd syslog functionality: "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
The given snmptrapd output message formatting (header): "Nov 12 16:57:59 wlc02.mydomain.com" set before every snmptrapd message is here to provide a RFC 3164 compliant message => this should allow syslog-ng to think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a forwarded syslog message ? If so, this would allow me to fetch "wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?
you misunderstand the relayed message format. the header is not duplicated in case a message is relayed, the format is still the same.
Ah, okay ! Yes you're right I totally misunderstood the relayed message format ;-)
The only way to work around that is to have snmptrapd to send its output to syslog-ng directly (and format the message according to the syslog protocol). There are multiple options:
* pipe: make snmptrapd output go to a pipe, and reference this from syslog-ng; writing a pipe is about the same as writing a file, so this would probably work
Ahhh, yeah ! That's much easier than my relayed message style ! If, as I did before, I format snmptrad message as follow (to a named pipe), it should work: "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
yes. you might add a priority field though.
Ok ! Will try this !
* program source: in 3.0, I introduced program source, which is basically a syslog-ng managed program, whose output is parsed as a syslog message, line by line.
Okay, really interesting too ;-) It reads logs from stdout and stderr of the given program ?
it only fetches the standard output.
Will try this (named pipe stuff) before the csv-parser option. As I'm also interested into csv-parser option I will invest time to try it too. Will let you know about last-column-greedy.
the named pipe should work with any syslog-ng version, csv-parser is added in 3.0.
Thanks again for your support ! Joël