[syslog-ng] syslog-ng as a relay

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Tue Jun 19 11:50:25 CEST 2007 

> Hi!
> 
> I am trying to work out if syslog-ng can act as a relay without doing
> "noticeable" changes to the syslog message in terms of what the syslog
> server sees.
> 
> The problem: 
> 
> 1)	The device sends non-standard syslog messages

That might be a problem. You should try using the flags(no-parse);
option in your source definition, however if you want to use macros
then you'll be in trouble

> 2)	The syslog needs to go to 2 end systems, the device supports 1

shouldn't be a problem

> 3)	One of the end devices needs to receive the syslog in exactly
> the same 	for as originally sent by the device

might be tricky...

> So, I have been trying destinations as follows:
> 
> destination d_remote {
> 	udp("X.X.X.X" port(514) spoof_source(yes)
> template("$MESSAGE\n"));
> 	udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> template("$MESSAGE\n"));
> };

Instead of this you should use two different destination definitions:

destination d_remote_one {
	...
};

destination d_remote_two {
	...
};

and later

log {
	source(...);
	filter(...);
	destination(d_remote_one);
	destination(d_remote_two);
};

> I have also tried various combinations having "template" and adding
> FACILITY and LEVEL, but I am current failing to reproduce the original
> packet.
> 
> My results:
> 
> Template			Result
> ==========================================
> None				Relayed message has standard date and
> hostname added 				which weren't 
> in original
> package.

that might happen even when you disable parsing of the message

> $MESSAGE\n			Syslog facility and priority headers are
> stripped 				away from relayed messages.

try using template("<$M_PRI> $MESSAGE\n");

> Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what 
> I need as
> they don't appear to go into the right fields, and syslog-ng 
> appears to
> put KERN.EMERG in instead...

The first part of the message defines the facility/priority. Using
macros you should use <$M_PRI> , however this depends on the parsing
of the message...

I think the really authorative answer to your questions might come
from Bazsi, so you should wait for his answer :)

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list