[syslog-ng] syslog-ng as a relay

Moxey, Joel, VF UK - Technology (TS) Joel.Moxey at vodafone.com
Tue Jun 19 14:42:22 CEST 2007

Thank you very much... that works very well indeed...

Summary of config:

source s_remote { udp(ip( port(514) flags(no-parse)); };

destination d_one {
        udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")
destination d_two {
        udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")

log { source(s_local); destination(d_one); destination(d_two) };

I added the template-escape as I found that some " were being escaped -
changing the original message slightly.


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs
Sent: 19 June 2007 12:19 pm
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] syslog-ng as a relay

On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:

> > So, I have been trying destinations as follows:
> > 
> > destination d_remote {
> > 	udp("X.X.X.X" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > 	udp("Y.Y.Y.Y" port(514) spoof_source(yes)
> > template("$MESSAGE\n"));
> > };
> Instead of this you should use two different destination definitions:
> destination d_remote_one {
> 	...
> };
> destination d_remote_two {
> 	...
> };
> and later
> log {
> 	source(...);
> 	filter(...);
> 	destination(d_remote_one);
> 	destination(d_remote_two);
> };

Organizing destinations is a matter of preference, so this is not
strictly required.

> > $MESSAGE\n			Syslog facility and priority headers are
> > stripped 				away from relayed messages.
> try using template("<$M_PRI> $MESSAGE\n");

M_PRI is not a valid macro, the above format should be written as 
"<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro.

Please note that PRIORITY and PRI are not the same. "PRI" denotes the
PRI field of the syslog header, which is comprised of a FACILITY and a
LEVEL value. PRIORITY is an alias for LEVEL.

Sorry for the confusing names. Partly this is caused by compatibility
with older versions of syslog-ng.

If the incoming message at least resembles to a syslog message (e.g. it
has a proper PRI heading), then you could use the template defined

If it does not, you could still use the no-parse flag for your input,
and "$MESSAGE\n" as output template.


syslog-ng maillist  -  syslog-ng at lists.balabit.hu
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list