Syslog relay : keep facility and level
Hi, I am trying to setup a syslog-ng architecture with a relay. Here is an example : Linux Host1 logs messages to syslog with facility user.info on Host1, syslog-ng is set up to forward these messages (with a filter based on the facility) to Host2 via UDP Linux Host2(log collector)'s syslog-ng is configured to listen for incoming udp packets, and forward them to a Windows Host3 after changing the message's format thanks to a template (add the Source IP at the beginning of the message) Windows Host3 processes the incoming udp messages. I have managed to make it work, that is, messages generated on Host1 with the logger command are successfully received on Host3. Nevertheless, it looks like all the messages reaching my Host3 have the facility/priority User.notice, instead of the original one. Here are some parts of my configuration : -------on Host1: #filter for user facility - for tests filter f_user {facility(user); }; destination host2 {udp("IP.Address.of.Host2");}; log{ source(src); filter(f_user);destination( host2 ); }; ------on Host2 # syslog full redirection to Thibaud's machine destination host3 { udp("IP.ADDRESSE:OF:HOST" template("$SOURCEIP $MSG\n")); }; source s_udp {udp();}; log { source(s_udp); destination ( host3 ); }; I generate messages on host1 with the command logger -p user.warning "message warning test" Is there anything I am doing wrong? Could changing the template make the message lose information about Facility and Level? Thanks in advance
When you use a template, it becomes the *entire* template of the syslog message on the wire. Since syslog-ng does not know that you are sending the message to another syslog server (relaying), it can not automatically make the message conform to the syslog RFC format. This job is up to you. So... your template should really have the following format "<$PRI>$S_DATE $HOST $PROGRAM: $SOURCEIP $MSGONLY" I'm not sure why you want to sourceIP in the message portion since the $HOST will be the source host that the message came from. I guess it depends on what application is receiving the messages on your host2. Evan. Thibaud Desodt wrote:
Hi,
I am trying to setup a syslog-ng architecture with a relay.
Here is an example :
Linux Host1 logs messages to syslog with facility user.info
on Host1, syslog-ng is set up to forward these messages (with a filter based on the facility) to Host2 via UDP
Linux Host2(log collector)'s syslog-ng is configured to listen for incoming udp packets, and forward them to a Windows Host3 after changing the message's format thanks to a template (add the Source IP at the beginning of the message)
Windows Host3 processes the incoming udp messages.
I have managed to make it work, that is, messages generated on Host1 with the logger command are successfully received on Host3. Nevertheless, it looks like all the messages reaching my Host3 have the facility/priority User.notice, instead of the original one.
Here are some parts of my configuration : -------on Host1:
#filter for user facility - for tests filter f_user {facility(user); };
destination host2 {udp("IP.Address.of.Host2");}; log{ source(src); filter(f_user);destination( host2 ); };
------on Host2 # syslog full redirection to Thibaud's machine destination host3 { udp("IP.ADDRESSE:OF:HOST" template("$SOURCEIP $MSG\n")); };
source s_udp {udp();};
log { source(s_udp); destination ( host3 ); };
I generate messages on host1 with the command logger -p user.warning "message warning test"
Is there anything I am doing wrong? Could changing the template make the message lose information about Facility and Level?
Thanks in advance
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Yes that does the trick ! I've been looking for that format and couldn't find any official definition of template for that standard. thanks!
participants (2)
-
Evan Rempel
-
Thibaud Desodt