Removing Prefixes from Syslog-ng Messages
Hello all, I am having issues with syslog-ng adding prefixes to my messages. I currently have a syslog-ng agent sending messages from a log source to a syslog-ng central server. I am then sending the messages from the central server to a 3rd party event management program. Is there a way to forward an unchanged syslog-ng message from the relay server? For example: Message arriving from source: Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" Message being forwarded from server: Apr 16 09:31:07 10.56.2.77 125 <0>1 2009-04-16T09:31:02-07:00 psrdev47 - - - - 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" How can I configure the syslog-ng server to relay this unchanged message to our destination? Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" Thanks for your help! Regards, Adam This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Syslog-ng does not understand your header (that you call a prefix) so it thinks your message is headerless. As a syslog relay, according to RFCs, syslog-ng has to add its own header. So your application is sending a header with a wrong format. What's wrong is that you have both the hostname and the IP addresse of your source. Your problem seems somewhat similar to mine : https://bugzilla.balabit.com/show_bug.cgi?id=40 I think syslog-ng should be more flexible about acceptable headers : you should be able to tell syslog-ng which format your header is expected to be. -------- Message d'origine-------- De: syslog-ng-bounces@lists.balabit.hu de la part de adam.j.brendamour@accenture.com Date: jeu. 16/04/2009 18:39 À: syslog-ng@lists.balabit.hu Objet : [syslog-ng] Removing Prefixes from Syslog-ng Messages Hello all, I am having issues with syslog-ng adding prefixes to my messages. I currently have a syslog-ng agent sending messages from a log source to a syslog-ng central server. I am then sending the messages from the central server to a 3rd party event management program. Is there a way to forward an unchanged syslog-ng message from the relay server? For example: Message arriving from source: Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" Message being forwarded from server: Apr 16 09:31:07 10.56.2.77 125 <0>1 2009-04-16T09:31:02-07:00 psrdev47 - - - - 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" How can I configure the syslog-ng server to relay this unchanged message to our destination? Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" Thanks for your help! Regards, Adam This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
On Thu, 2009-04-16 at 11:39 -0500, adam.j.brendamour@accenture.com wrote:
Hello all,
I am having issues with syslog-ng adding prefixes to my messages. I currently have a syslog-ng agent sending messages from a log source to a syslog-ng central server. I am then sending the messages from the central server to a 3rd party event management program. Is there a way to forward an unchanged syslog-ng message from the relay server?
For example:
Message arriving from source:
Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
Message being forwarded from server:
Apr 16 09:31:07 10.56.2.77 125 <0>1 2009-04-16T09:31:02-07:00 psrdev47 - - - - 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
you should use the syslog() driver to receive messages formatted to the new IETF protocol standard. -- Bazsi
I am using the syslog() drivers to send and receive messages. The original message polled from a file log is: [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-" Syslog-ng then sends the message to the relay server, adding the header to the original message: 16 09:31:07 hostname IP - - The syslog-ng relay collects the messages and forwards them on to another source and the header gets changed to this: Apr 16 09:31:07 relay_IP 125 <0>1 2009-04-16T09:31:02-07:00 hostname - - - - IP - - I am using the syslog() drivers across the board on the client and relay. Unfortunately, through testing and research, I have not found a way to stop these headers from being created at the beginning of the syslog messages. Regards, Adam -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Wednesday, April 22, 2009 6:24 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Removing Prefixes from Syslog-ng Messages On Thu, 2009-04-16 at 11:39 -0500, adam.j.brendamour@accenture.com wrote:
Hello all,
I am having issues with syslog-ng adding prefixes to my messages. I currently have a syslog-ng agent sending messages from a log source to a syslog-ng central server. I am then sending the messages from the central server to a 3rd party event management program. Is there a way to forward an unchanged syslog-ng message from the relay server?
For example:
Message arriving from source:
Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
Message being forwarded from server:
Apr 16 09:31:07 10.56.2.77 125 <0>1 2009-04-16T09:31:02-07:00 psrdev47 - - - - 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
you should use the syslog() driver to receive messages formatted to the new IETF protocol standard. -- Bazsi ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
On Wed, 2009-04-22 at 11:08 -0500, adam.j.brendamour@accenture.com wrote:
I am using the syslog() drivers to send and receive messages. The original message polled from a file log is: [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
Syslog-ng then sends the message to the relay server, adding the header to the original message: 16 09:31:07 hostname IP - -
this seems to be a new style format, although it is a little bit garbled. Could you send me a tcpdump/strace that shows the exact characters sent and received?
The syslog-ng relay collects the messages and forwards them on to another source and the header gets changed to this: Apr 16 09:31:07 relay_IP 125 <0>1 2009-04-16T09:31:02-07:00 hostname - - - - IP - -
I am using the syslog() drivers across the board on the client and relay. Unfortunately, through testing and research, I have not found a way to stop these headers from being created at the beginning of the syslog messages.
Are you sure you are receiving this message with the syslog() driver? The above case clearly indicates that syslog-ng processed it in non-syslog mode. -- Bazsi
participants (3)
-
adam.j.brendamour@accenture.com
-
Balazs Scheidler
-
Vincent Panel