[syslog-ng] syslog-ng as a relay

Alexander Clouter ac56 at soas.ac.uk
Tue Jun 19 11:48:20 CEST 2007 

Hi,

Moxey, Joel, VF UK - Technology (TS) <Joel.Moxey at vodafone.com> [20070619 10:14:24 +0100]:
>
> Hi!
> 
> I am trying to work out if syslog-ng can act as a relay without doing
> "noticeable" changes to the syslog message in terms of what the syslog
> server sees.
> 
I would be more inclinded to probably consider using netcat[1].  You probably 
could do something like (I might have this wrong though, its called a 'netcat 
relay'):

$ mknod transferpipe p
$ nc -u <dest-ip> 514 < transferpipe | nc -u -l -p 514 > transferpipe

Cheers

Alex

[1] http://www.securitydocs.com/library/3376

> The problem: 
> 
> 1)	The device sends non-standard syslog messages
> 2)	The syslog needs to go to 2 end systems, the device supports 1
> 3)	One of the end devices needs to receive the syslog in exactly
> the same 	for as originally sent by the device
> 
> 
> So, I have been trying destinations as follows:
> 
> destination d_remote {
> 	udp("X.X.X.X" port(514) spoof_source(yes)
> template("$MESSAGE\n"));
> 	udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> template("$MESSAGE\n"));
> };
> 
> I have also tried various combinations having "template" and adding
> FACILITY and LEVEL, but I am current failing to reproduce the original
> packet.
> 
> My results:
> 
> Template			Result
> ==========================================
> None				Relayed message has standard date and
> hostname added 				which weren't in original
> package.
> $MESSAGE\n			Syslog facility and priority headers are
> stripped 				away from relayed messages.
> 
> Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as
> they don't appear to go into the right fields, and syslog-ng appears to
> put KERN.EMERG in instead...
> 
> The version I am running on is 2.0.4.
> 
> If anyone has managed to get this working like this, I would be grateful
> of any pointers.
> 
> Thanks,
> 
> Joel
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list