Rewrite Hostname Field of Syslog Header
Hi, I¹m wondering if syslog-ng is capable of rewriting the hostname field in the header of syslogs as they are forwarded to a remote loghost. Is this possible? Thanks, Lee
I don't believe there is a native way to do this in syslog-ng, but there is a method here: http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/ that describes using a template to basically rewrite any part of the syslog message. That example is for rewriting the facility/priority, it should give you enough to go on to rewrite the host field. Regards, Jerry On 7/23/2010 2:06 PM, lecalcot wrote:
Hi,
I'm wondering if syslog-ng is capable of rewriting the hostname field in the header of syslogs as they are forwarded to a remote loghost. Is this possible?
Thanks, Lee
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Fri, Jul 23, 2010 at 11:06 AM, lecalcot <lecalcot@cisco.com> wrote:
Hi,
I’m wondering if syslog-ng is capable of rewriting the hostname field in the header of syslogs as they are forwarded to a remote loghost. Is this possible?
Thanks, Lee
There are a couple ways to do this. If you want all messages in a certain log statement to be replaced with specific text, you can just use a rewrite rule on the HOST macro: rewrite r_replacename { set("whatever-you-want", value("HOST")); }; You can also use subst() rather than set() to match/replace only certain parts & use regex. Check out page 88 of the 3.1 OSE syslog-ng admin guide. If you need help replacing hostname on the fly, with perhaps something else that exists in the message body, using the parser {} function (paired with patterndb, what all the cool kids are using now) to generate your own macros, then use rewrite{} with that is your best bet. -- Lance Laursen Demonware Systems Engineer
On p, 2010-07-23 at 11:59 -0700, Lance Laursen wrote:
rewrite r_replacename { set("whatever-you-want", value("HOST")); };
This is a very static solution for rewriting message. We have another way: Turn off keep_hostname(no) in options AND use DNS for name resolution use_dns(yes), if any DNS server do not contain the proper info, you can also use a simple persistent host file too. Peter -- Höltzl Péter CISA, IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 966 http://peter.blogs.balabit.hu/ BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875 Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatják fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
Hi, you might also want to check the host-override option: http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/refere... Robert On Friday, July 23, 2010 20:06 CEST, lecalcot <lecalcot@cisco.com> wrote:
Hi,
I¹m wondering if syslog-ng is capable of rewriting the hostname field in the header of syslogs as they are forwarded to a remote loghost. Is this possible?
Thanks, Lee
participants (5)
-
Fekete Róbert
-
HÖLTZL Péter
-
Jerry Bell
-
Lance Laursen
-
lecalcot