[syslog-ng] Using syslog-ng as a relay inject unexpected data
Eli Stair
estair at ilm.com
Thu Dec 20 19:16:27 CET 2007
Hey Allen,
I'd say that if you /are/ seeing '38' (or anything over 23) as a number
pre-pended, it's not the facility which was my first guess. Could be reporting
PID or other internal identifier of the sender, which some devices I see seem
to use. Just speculation.. Does the number change, if so how?
To verify that's actually being /sent/ by the syslog-ng forwarder, check the
output when logging to a local file as well as the remote forward using the
same src:template, and see if it shows up in both, as well look at the packets
as they hit the wire and see if it's in the payload. If it IS being sent by
your relay, also verify that it isn't actually in the payload sent by your log
client. Can you post the template/src/dest stanzas if you find it IS being
generated by the syslog-ng relay?
There's obvious likelihood that it's not syslog-ng on the sending host in
question, but at the receiving end or originating sender adding this.
/eli
Allen Bettilyon wrote:
> Hello,
>
> I'm doing some pretty basic syslog forwarding using syslog-ng 1.6.2.
>
> Essentially, I've got the following:
>
> destination remoteHost {
> tcp("1.1.1.1 <http://1.1.1.1> port 9999");
> };
>
>
> The forwarding is working correctly, however on the remote side all my
> log lines are prepended with a <number> tag.
>
> For example: Some log line
> turns into: <38>Some log line
>
> I've tried creating a custom template, but the <number> is always added
> to the log lines when the arrive at the remote host.
>
> Why is this happening and is there a way to turn it off?
>
> Thanks,
>
> - Allen Bettilyon
>
>
>
>
>
>
More information about the syslog-ng
mailing list