[syslog-ng] syslog-ng as a relay
Moxey, Joel, VF UK - Technology (TS)
Joel.Moxey at vodafone.com
Tue Jun 19 14:42:22 CEST 2007
Thank you very much... that works very well indeed...
Summary of config:
source s_remote { udp(ip(0.0.0.0) port(514) flags(no-parse)); };
destination d_one {
udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")
template-escape(no));
};
destination d_two {
udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")
template-escape(no));
};
log { source(s_local); destination(d_one); destination(d_two) };
I added the template-escape as I found that some " were being escaped -
changing the original message slightly.
Joel
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs
Scheidler
Sent: 19 June 2007 12:19 pm
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] syslog-ng as a relay
On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
> > So, I have been trying destinations as follows:
> >
> > destination d_remote {
> > udp("X.X.X.X" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > };
>
> Instead of this you should use two different destination definitions:
>
> destination d_remote_one {
> ...
> };
>
> destination d_remote_two {
> ...
> };
>
> and later
>
> log {
> source(...);
> filter(...);
> destination(d_remote_one);
> destination(d_remote_two);
> };
Organizing destinations is a matter of preference, so this is not
strictly required.
> > $MESSAGE\n Syslog facility and priority headers are
> > stripped away from relayed messages.
>
> try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as
"<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro.
Please note that PRIORITY and PRI are not the same. "PRI" denotes the
PRI field of the syslog header, which is comprised of a FACILITY and a
LEVEL value. PRIORITY is an alias for LEVEL.
Sorry for the confusing names. Partly this is caused by compatibility
with older versions of syslog-ng.
If the incoming message at least resembles to a syslog message (e.g. it
has a proper PRI heading), then you could use the template defined
above.
If it does not, you could still use the no-parse flag for your input,
and "$MESSAGE\n" as output template.
--
Bazsi
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list