[syslog-ng] syslog-ng as a relay

Alexander Clouter ac56 at soas.ac.uk
Tue Jun 19 11:50:21 CEST 2007 

Hi,

Sorry ignore all that, got distracted by your first paragraph, should have 
read on, my mistake.

"As you were..."

Regards

Alex

Alexander Clouter <ac56 at soas.ac.uk> [20070619 10:48:20 +0100]:
>
> Hi,
> 
> Moxey, Joel, VF UK - Technology (TS) <Joel.Moxey at vodafone.com> [20070619 10:14:24 +0100]:
> >
> > Hi!
> > 
> > I am trying to work out if syslog-ng can act as a relay without doing
> > "noticeable" changes to the syslog message in terms of what the syslog
> > server sees.
> > 
> I would be more inclinded to probably consider using netcat[1].  You probably 
> could do something like (I might have this wrong though, its called a 'netcat 
> relay'):
> 
> $ mknod transferpipe p
> $ nc -u <dest-ip> 514 < transferpipe | nc -u -l -p 514 > transferpipe
> 
> Cheers
> 
> Alex
> 
> [1] http://www.securitydocs.com/library/3376
> 
> > The problem: 
> > 
> > 1)	The device sends non-standard syslog messages
> > 2)	The syslog needs to go to 2 end systems, the device supports 1
> > 3)	One of the end devices needs to receive the syslog in exactly
> > the same 	for as originally sent by the device
> > 
> > 
> > So, I have been trying destinations as follows:
> > 
> > destination d_remote {
> > 	udp("X.X.X.X" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > 	udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > };
> > 
> > I have also tried various combinations having "template" and adding
> > FACILITY and LEVEL, but I am current failing to reproduce the original
> > packet.
> > 
> > My results:
> > 
> > Template			Result
> > ==========================================
> > None				Relayed message has standard date and
> > hostname added 				which weren't in original
> > package.
> > $MESSAGE\n			Syslog facility and priority headers are
> > stripped 				away from relayed messages.
> > 
> > Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as
> > they don't appear to go into the right fields, and syslog-ng appears to
> > put KERN.EMERG in instead...
> > 
> > The version I am running on is 2.0.4.
> > 
> > If anyone has managed to get this working like this, I would be grateful
> > of any pointers.
> > 
> > Thanks,
> > 
> > Joel
> > 
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> > 
> > 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list