[syslog-ng] ArcSight Server As Destination?
Balazs Scheidler
bazsi at balabit.hu
Mon May 21 20:07:05 CEST 2007
On Mon, 2007-05-21 at 09:23 -0500, Ivey, Chris wrote:
> As I was discussing this issue with a colleague this AM, the question
> arose as to whether or not the restamping of messages from syslog-ng
> can be turned on and off for selected destinations, or if that was a
> global option. Anyone know?
If these are syslog messages, then you can use templates to solve this
issue:
destination d_arcsight { udp("1.2.3.4" template("<$PRI>$S_DATE $HOST $MSG\n")); };
destination d_other { udp("1.2.3.4" template("<$PRI>$R_ISODATE $HOST $MSG\n"); };
For a list of macros see:
http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch08s05.html
--
Bazsi
More information about the syslog-ng
mailing list