Syslog-ng open source version -- program_override option
Hi, I want to pass the source file name with each syslog-ng message. I am using program_override option for this. But program_override option overrides the program name field value present in the syslog-ng messages. source source_sys_log { file("/root/log/syslog.log" program_override("syslog.log")); } Let me know how to pass source file name in the syslog-ng message? I am using open source version of syslog-ng. Regards Vaibhav
On Mon, 2009-08-10 at 11:41 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi,
I want to pass the source file name with each syslog-ng message. I am using program_override option for this. But program_override option overrides the program name field value present in the syslog-ng messages.
source source_sys_log { file("/root/log/syslog.log" program_override("syslog.log")); }
Let me know how to pass source file name in the syslog-ng message? I am using open source version of syslog-ng.
Well by default syslog-ng uses each line in the source file as a separate log message, but makes the name of the file available in the $FILE_NAME macro. So you could either use a custom template to include this information, or rather a rewrite rule, such as: rewrite r_add_filename { set("$FILE_NAME: $MESSAGE" value("MESSAGE")); }; -- Bazsi
Hi Bazsi, Thanks for your quick response. In this case how to remove the $FILE_NAME value from the received message on the syslog-ng server? Because now the received message = Original mesg + File Name. -V -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Wednesday, August 12, 2009 1:10 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-ng open source version -- program_override option On Mon, 2009-08-10 at 11:41 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi,
I want to pass the source file name with each syslog-ng message. I am using program_override option for this. But program_override option overrides the program name field value present in the syslog-ng messages.
source source_sys_log { file("/root/log/syslog.log" program_override("syslog.log")); }
Let me know how to pass source file name in the syslog-ng message? I am using open source version of syslog-ng.
Well by default syslog-ng uses each line in the source file as a separate log message, but makes the name of the file available in the $FILE_NAME macro. So you could either use a custom template to include this information, or rather a rewrite rule, such as: rewrite r_add_filename { set("$FILE_NAME: $MESSAGE" value("MESSAGE")); }; -- Bazsi ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2009-08-12 at 13:15 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi Bazsi,
Thanks for your quick response.
In this case how to remove the $FILE_NAME value from the received message on the syslog-ng server? Because now the received message = Original mesg + File Name.
I don't know what you want to accomplish? At first you wanted to include the filename information and now you want to remove it? Why? Can you post examples? -- Bazsi
Hi Bazsi, I want to send all the log messages from client machine to server mahine in the same file. I have installed the syslog-ng client on client machine and syslog-ng server on server. I am passing the source file name with the log message using FILE_NAME and template. And I am receiveing the log message on server side. And using match macro I am pushing log messages in the file name present in the log message. But now on the server side the log message is actual mesg + file name.so I want to delete the file name from the received mesg. So that the received mesg would be same as original messsge. The use of file name in the message is only to detemine the source file name. So that I can push the log in the same file in the server side. ( basically same file name replica on cline side and server side ) Example => Clinet = org mesg + file name | | Server side = extract / mactch the file name from the received mesg and push the original mesg in that log file with out file name in the mesg content Let me know how to remove the filename string from the received mesg so that I can get the actual mesg? - V -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Wednesday, August 12, 2009 1:50 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-ng open source version -- program_override option On Wed, 2009-08-12 at 13:15 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi Bazsi,
Thanks for your quick response.
In this case how to remove the $FILE_NAME value from the received message on the syslog-ng server? Because now the received message = Original mesg + File Name.
I don't know what you want to accomplish? At first you wanted to include the filename information and now you want to remove it? Why? Can you post examples? -- Bazsi ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2009-08-12 at 14:24 +0530, Jain, Vaibhav (GE Healthcare) wrote:
Hi Bazsi,
I want to send all the log messages from client machine to server mahine in the same file. I have installed the syslog-ng client on client machine and syslog-ng server on server. I am passing the source file name with the log message using FILE_NAME and template. And I am receiveing the log message on server side. And using match macro I am pushing log messages in the file name present in the log message. But now on the server side the log message is actual mesg + file name.so I want to delete the file name from the received mesg. So that the received mesg would be same as original messsge. The use of file name in the message is only to detemine the source file name. So that I can push the log in the same file in the server side. ( basically same file name replica on cline side and server side )
Example =>
Clinet = org mesg + file name | | Server side = extract / mactch the file name from the received mesg and push the original mesg in that log file with out file name in the mesg content
Let me know how to remove the filename string from the received mesg so that I can get the actual mesg?
Well, this is certainly possible, but I'd like to raise one possible security issue with your configuration: you use the contents of the log message to generate a filename. Are you sure that you constrain these filenames to a sensible name on the server host? e.g what happens if you receive /etc/passwd as the source filename, are you going to overwrite /etc/passwd? Other than that you can remove the filename information by using a rewrite rule on the server side: rewrite xxx { subst("^[0-9a-zA-Z/_]+: (.*$)", "$1")); }; this is untested and I assume here that the message begins with the filename and a filename contains "a-zA-Z0-9/_" characters. -- Bazsi
Hi, Can you tell me on which port syslog-ng client and syslog-ng server runs ? I am using open source syslog-ng. I am getting following port numbers for syslog-ng server and syslog-ng client. I think port number values are garbage ... please help me on this. syslog-ng server ==> # netstat -nlp | grep syslog tcp 0 0 0.0.0.0:601 0.0.0.0:* LISTEN 19661/syslog-ng unix 2 [ ACC ] STREAM LISTENING 28775375 19466/python /opt/syslog-ng/var/run/syslog-ng.ctl syslog-ng client ==> # netstat -nlp | grep syslog unix 2 [ ACC ] STREAM LISTENING 490705 18882/syslog-ng /opt/syslog-ng/var/run/syslog-ng.ctl Regards, V
Are you referring to the bolded values? Those are I-nodes, not (tcp/udp) port numbers. On Mon, Sep 14, 2009 at 8:20 AM, Jain, Vaibhav (GE Healthcare) < Vaibhav.Jain@ge.com> wrote:
Hi,
Can you tell me on which port syslog-ng client and syslog-ng server runs ? I am using open source syslog-ng.
I am getting following port numbers for syslog-ng server and syslog-ng client. I think port number values are garbage ... please help me on this.
*syslog-ng server ==>*
# netstat -nlp | grep syslog tcp 0 0 0.0.0.0:601 0.0.0.0:* LISTEN 19661/syslog-ng unix 2 [ ACC ] STREAM LISTENING *28775375*19466/python /opt/syslog-ng/var/run/syslog-ng.ctl
*syslog-ng client ==>*
# netstat -nlp | grep syslog unix 2 [ ACC ] STREAM LISTENING *490705*18882/syslog-ng /opt/syslog-ng/var/run/syslog-ng.ctl Regards, V
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Some men see things as they are and ask why. I see things that never were and ask for initiative rolls.
Hi,
Can you tell me on which port syslog-ng client and syslog-ng server runs ? I am using open source syslog-ng.
I am getting following port numbers for syslog-ng server and syslog-ng client. I think port number values are garbage ... please help me on this.
syslog-ng server ==>
# netstat -nlp | grep syslog tcp 0 0 0.0.0.0:601 0.0.0.0:* LISTEN 19661/syslog-ng unix 2 [ ACC ] STREAM LISTENING 28775375 19466/python /opt/syslog-ng/var/run/syslog-ng.ctl
syslog-ng client ==>
# netstat -nlp | grep syslog unix 2 [ ACC ] STREAM LISTENING 490705 18882/syslog-ng /opt/syslog-ng/var/run/syslog-ng.ctl
Regards, V ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
syslog listen on port udp 514 John Li FIFASCI IT.EDP Technical Support
participants (4)
-
Balazs Scheidler
-
Jain, Vaibhav (GE Healthcare)
-
john.li@fifasci.com.ph
-
Matt Pinkham