Hi All, I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server. Device --> Syslog Server 1 --> Syslog Server 2 The configurations of 1st syslog server - Options - keep-hostname(yes); use-dns(yes); use-fqdn(yes); Destination - destination d_sec { udp("IP_of_second_syslog" port(514) template("${ISODATE} ${HOST} ${PRIORITY} ${MSG}\n") template-escape(no)); }; The configuration of 2nd syslog server - destination d_syslogFile { file("/var/log/syslog.log" template("${R_ISODATE} ${HOST} ${PRIORITY} ${FACILITY} ${PROGRAM} ${MSG}\n") template-escape(no)); }; Problem - When the syslog message is getting logged at 2nd Syslog server, the ${PRIORITY} of the message is always "notice". And the original severity/priotity of the message is getting captured in the ${PROGRAM} macro. How to capture the priority of the forwarded message on 2nd Syslog server in the ${PRIORITY} macro instead of ${PROGRAM} macro? Regards, Shivani Maurya
Hi, On 2024-12-11 12:47:29, Maurya, Shivani wrote:
Hi All,
I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server.
Device --> Syslog Server 1 --> Syslog Server 2
I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng. https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_Th... https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/READM... https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-driv...
Thanks for the response. The format mentioned in the admin guide for 1st syslog server is resulting in failure of syslog-ng service, hence I modified it to make sure the syslog-ng service starts. On the 1st syslog server, I added the syslog destination as - destination d_ewmm { syslog("secondary_IP"); }; On 2nd syslog server, default-network-drivers(); option is not working. Hence, I am trying to capture the syslog messages like - source src { network(transport(udp) ip(secondary_IP) port(514)); }; But the issue still persists, no change in the message format. Regards, Shivani Maurya -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Wednesday, December 11, 2024 8:10 PM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog server chaining issue Hi, On 2024-12-11 12:47:29, Maurya, Shivani wrote:
Hi All,
I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server.
Device --> Syslog Server 1 --> Syslog Server 2
I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng. https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_Th... https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/READM... https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-driv... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
If you supply the template() option on the first server, that change the format the protocol expects. So you need to use the standard template and then reformat it to your needs on the 2nd, by using template there. The reason the $program captured the severity value as you were using $SEVERITY in the position where the normal syslog format expects the program name. The syslog-ng() driver Fabien mentioned requires you to include scl.conf which is the syslog-ng configuration library. On Thu, Dec 12, 2024, 07:43 Maurya, Shivani <shivani.maurya@intel.com> wrote:
Thanks for the response.
The format mentioned in the admin guide for 1st syslog server is resulting in failure of syslog-ng service, hence I modified it to make sure the syslog-ng service starts. On the 1st syslog server, I added the syslog destination as -
destination d_ewmm { syslog("secondary_IP"); };
On 2nd syslog server, default-network-drivers(); option is not working. Hence, I am trying to capture the syslog messages like -
source src { network(transport(udp) ip(secondary_IP) port(514));
};
But the issue still persists, no change in the message format.
Regards, Shivani Maurya
-----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Wednesday, December 11, 2024 8:10 PM To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog server chaining issue
Hi,
On 2024-12-11 12:47:29, Maurya, Shivani wrote:
Hi All,
I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server.
Device --> Syslog Server 1 --> Syslog Server 2
I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng.
https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_Th...
https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/READM...
https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-driv...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Fabien Wernli
-
Maurya, Shivani