syslog-ng relay pre-pends headers
I know this has been asked alot, but I haven't found a working answer (after much failed googling and reading the admin guide). I am using syslog-ng 2.0.5 on Fedora 7. I am trying to relay syslog messages. Syslog messages sent to syslog-ng in the format: "priority datestamp host message" are being relayed as "priority "datestamp of syslog-ng" "hostname of syslog-ng" "datestamp orig" "hostname original" message" I have chain_hostnames(no) defined and I restarted syslog-ng (the options stanza is below) but still the headers are pre-pended. Any advice? # Options options { chain_hostnames(no); keep_hostname(yes); use_time_recvd(no); };
On Tue, 2007-10-30 at 11:25 -0400, Mike Fratto wrote:
I know this has been asked alot, but I haven't found a working answer (after much failed googling and reading the admin guide). I am using syslog-ng 2.0.5 on Fedora 7. I am trying to relay syslog messages. Syslog messages sent to syslog-ng in the format: "priority datestamp host message" are being relayed as "priority "datestamp of syslog-ng" "hostname of syslog-ng" "datestamp orig" "hostname original" message"
I have chain_hostnames(no) defined and I restarted syslog-ng (the options stanza is below) but still the headers are pre-pended.
Where are you inspecting the relayed messages? On the wire, or on the receiving side? Maybe syslog-ng used an ISO timestamp and the receiver does not support that? -- Bazsi
Baszi, I am inspecting on the relay itself. Pasted below is the sent message and the relayed message. The sent message appears to be rfc3164 formatted already. In the relayed message, syslog-ng pre-pends the sent time stamp and the hostname onto the existing message. For messages that send raw non rfc-3164 formatted messages, that OK (desired in fact), but sources that do send rfc-3164 formatted messages, it's redundant. I also pasted my config file at the end. I started out wanting syslog-ng to transparently forward messages. So is what I am seeing the expected behavior? But after looking more deeply at the sources, what I want to do is have syslog-ng reformat non-rfc3164 messages to that format (which I can do with macros). mike 10:06:14.322290 IP (tos 0x0, ttl 127, id 29867, offset 0, flags [none], proto UDP (17), length 131) 192.168.14.5.dcs > 192.168.17.212.syslog: SYSLOG, length: 103 Facility mail (2), Severity notice (5) Msg: Nov 06 10:11 example.com 10:11:48.866 2 SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes 10:06:14.322411 IP (tos 0x0, ttl 64, id 40000, offset 0, flags [DF], proto UDP (17), length 153) 192.158.17.212.32843 > 192.168.17.198.syslog: SYSLOG, length: 125 Facility mail (2), Severity notice (5) Msg: Nov 6 10:06:14 mail Nov 06 10:11 example.com 10:11:48.866 2 SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes\012 # Options options { chain_hostnames(no); keep_hostname(yes); use_time_recvd(no); }; # network syslog listener source s_udp { udp(); unix-stream("/dev/log"); }; destination d_test {udp("192.168.17.198"); }; log { source(s_udp); destination(d_test); };
On Tue, 2007-11-06 at 10:27 -0500, Mike Fratto wrote:
Baszi,
I am inspecting on the relay itself. Pasted below is the sent message and the relayed message. The sent message appears to be rfc3164 formatted already. In the relayed message, syslog-ng pre-pends the sent time stamp and the hostname onto the existing message. For messages that send raw non rfc-3164 formatted messages, that OK (desired in fact), but sources that do send rfc-3164 formatted messages, it's redundant. I also pasted my config file at the end.
I started out wanting syslog-ng to transparently forward messages. So is what I am seeing the expected behavior?
But after looking more deeply at the sources, what I want to do is have syslog-ng reformat non-rfc3164 messages to that format (which I can do with macros).
mike
10:06:14.322290 IP (tos 0x0, ttl 127, id 29867, offset 0, flags [none], proto UDP (17), length 131) 192.168.14.5.dcs > 192.168.17.212.syslog: SYSLOG, length: 103 Facility mail (2), Severity notice (5) Msg: Nov 06 10:11 example.com 10:11:48.866 2 SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes
the problem is that the timestamp is not complete, it does not contain second information. As it is not properly formatted, syslog-ng assumes that it's not RFC3164 and takes the complete line as a message. -- Bazsi
Thanks Baszi. It's the little things. On Nov 8, 2007 2:47 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
10:06:14.322290 IP (tos 0x0, ttl 127, id 29867, offset 0, flags [none], proto UDP (17), length 131) 192.168.14.5.dcs > 192.168.17.212.syslog: SYSLOG, length: 103 Facility mail (2), Severity notice (5) Msg: Nov 06 10:11 example.com 10:11:48.866 2 SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes
the problem is that the timestamp is not complete, it does not contain second information. As it is not properly formatted, syslog-ng assumes that it's not RFC3164 and takes the complete line as a message.
participants (2)
-
Balazs Scheidler
-
Mike Fratto