Outbound Facility Rewrite?
Hey folks. I have looked through everywhere I can find but cannot figure out how to rewrite the outbound syslog message to a remote host so that all messages come across on the same facility. The reason I need this is to automate sorting and parsing by type of device (all Linux on one facility, all IPS on another facility, Cisco firewalls on another, etc.). Is there a way to do this with syslog-ng? Regards, Randy B
Hi, currently it is not possible to rewrite the facility of a log message within syslog-ng. A possible workaround might be to use the IETF5424 message format (the syslog driver in syslog-ng), and add a metadata field that describes the type of the message, and then you can use that to filter the specific messages on the receiving side. Robert On Wednesday, May 29, 2013 20:30 CEST, Randy Baca <randy@rbaca.com> wrote:
Hey folks. I have looked through everywhere I can find but cannot figure out how to rewrite the outbound syslog message to a remote host so that all messages come across on the same facility. The reason I need this is to automate sorting and parsing by type of device (all Linux on one facility, all IPS on another facility, Cisco firewalls on another, etc.). Is there a way to do this with syslog-ng?
Regards,
Randy B
Robert: I am not sure using metadata is possible because the log receiver is third-party and looks at the <PRI> number for the facility and level. Do you know if facility-rewrite on the roadmap any time soon? Thanks for the quick response! Randy B ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Fekete Róbert [frobert@balabit.hu] Sent: Wednesday, May 29, 2013 12:36 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Outbound Facility Rewrite? Hi, currently it is not possible to rewrite the facility of a log message within syslog-ng. A possible workaround might be to use the IETF5424 message format (the syslog driver in syslog-ng), and add a metadata field that describes the type of the message, and then you can use that to filter the specific messages on the receiving side. Robert On Wednesday, May 29, 2013 20:30 CEST, Randy Baca <randy@rbaca.com> wrote:
Hey folks. I have looked through everywhere I can find but cannot figure out how to rewrite the outbound syslog message to a remote host so that all messages come across on the same facility. The reason I need this is to automate sorting and parsing by type of device (all Linux on one facility, all IPS on another facility, Cisco firewalls on another, etc.). Is there a way to do this with syslog-ng?
Regards,
Randy B
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
There's a workaround, use the template option and encode the required priority there: destination d_tcp { tcp("host" port(port) template("<184>$DATE $HOST $MSGHDR$MSG\n")); }; The number enclosed in <> is the priority value, which is calculated as: 8*facility + priority Where facility is the identifier of the facility in question (look it up in rfc3164 or On sze, 2013-05-29 at 19:42 +0000, Randy Baca wrote:
Robert: I am not sure using metadata is possible because the log receiver is third-party and looks at the <PRI> number for the facility and level. Do you know if facility-rewrite on the roadmap any time soon?
Thanks for the quick response!
Randy B ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Fekete Róbert [frobert@balabit.hu] Sent: Wednesday, May 29, 2013 12:36 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Outbound Facility Rewrite?
Hi,
currently it is not possible to rewrite the facility of a log message within syslog-ng. A possible workaround might be to use the IETF5424 message format (the syslog driver in syslog-ng), and add a metadata field that describes the type of the message, and then you can use that to filter the specific messages on the receiving side.
Robert
On Wednesday, May 29, 2013 20:30 CEST, Randy Baca <randy@rbaca.com> wrote:
Hey folks. I have looked through everywhere I can find but cannot figure out how to rewrite the outbound syslog message to a remote host so that all messages come across on the same facility. The reason I need this is to automate sorting and parsing by type of device (all Linux on one facility, all IPS on another facility, Cisco firewalls on another, etc.). Is there a way to do this with syslog-ng?
Regards,
Randy B
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Fekete Róbert
-
Randy Baca