[syslog-ng] Tool to determine facility and severity from

Tue Dec 5 10:47:57 CET 2006

Hi,

Heiko Blume <Heiko at Blume.AG> [20061205 10:32:19 +0100]:
>
> probably with the sniffer from ethereal.com
> 
I would be more inclinded to use a Perl module:

http://search.cpan.org/~sparsons/Net-Dev-Syslog-0.8.0/Syslog.pm

It will create a mini-syslog server, decode the packets for you and then it 
would be trivial, if you know perl, to re-inject them with the same module or 
a different one:

http://search.cpan.org/~saper/Sys-Syslog-0.18/Syslog.pm

If you do not know perl you probably will find this is a nice mini-project to 
introduce you to the language.  Its damn handy to be able to throw together a 
quick hack script to do jobs like this; means you no longer have to rely on 
the hope that someone else has done this already otherwise you would be out 
of options.

The problem you are going to run into is that you have to have effectively a 
syslog proxy on another machine, or a second IP bound to your syslog core 
server.  You cannot have this 'rewriter' and syslog-ng on the same box as 
both will be trying to listen on the same port; well you could pick different 
IP's for them to bind to though.

By the sounds of it you really want to create a syslog-ng filter that has a 
list of IP's and hardcode in the facility and extract the severity there.  To 
be honest if the facility is fixed then really there is no information you 
can extract that you could not determine "well it came from this IP therefore 
it has the *fixed* facility xyz".

As for severity, its probably worth just grepping for keywords in the message 
for what you are looking for anyway.  Thats where programs like swatch can 
help.

Of course I might have missed completely what you are trying to accomplish, 
if so give a few more details and I'll try to help.

Cheers

Alex

> regards, hb
> 
> > Does anyone know of a tool to read the facility and severity info from
> > inbound syslog packets?  I have a number of devices that are sending me
> > syslog info and I can't determine what facility they're using.  These
> > devices can't be set to use specific facilities unfortunately.  It would
> > be ideal if I could read the data out of a raw dump from tcpdump or at
> > least be able to bind it to 514/udp and prepend facility/severity info
> > on each log line.
> >
> > Along the same lines it would be sweet if there was a way to rewrite the
> > facility information in inbound syslog packets (based on source IP)
> > before passing them to your favorite syslog server.  This would be ideal
> > for occasions such as this.
> >
> > Any info would be greatly appreciated.  Thanks
> >
> > Justin
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
> 
> 
> -- 
> Heiko at Blume.AG
> 
>    Cisco Certified Network Professional
>    Cisco Certified Design Professional
>    Juniper Certified Internet Specialist
>    SUN Certified System Administrator
> 
> 
> Office: +49.30/4426309
> FAX: +49.30/48494354
> Mobile: +49.178/6662342
> www: http://www.blume.ag/IT/
> PHY: Knaackstrasse 6, 10405 Berlin, DE
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> 