[syslog-ng] Syslog relay : keep facility and level

Evan Rempel erempel at uvic.ca
Wed Sep 10 16:13:31 CEST 2008


When you use a template, it becomes the *entire* template of the syslog message
on the wire. Since syslog-ng does not know that you are sending the message to
another syslog server (relaying), it can not automatically make the message
conform to the syslog RFC format. This job is up to you. So... your template
should really have the following format

"<$PRI>$S_DATE $HOST $PROGRAM: $SOURCEIP $MSGONLY"

I'm not sure why you want to sourceIP in the message portion since the $HOST
will be the source host that the message came from. I guess it depends on
what application is receiving the messages on your host2.

Evan.

Thibaud Desodt wrote:
> Hi,
> 
> I am trying to setup a syslog-ng architecture with a relay.
> 
> Here is an example :
> 
> Linux Host1 logs messages to syslog with facility user.info
> 
> on Host1, syslog-ng is set up to forward these messages (with a filter 
> based on the facility) to Host2 via UDP
> 
> Linux Host2(log collector)'s syslog-ng is configured to listen for 
> incoming udp packets, and forward them to a Windows Host3 after changing 
> the message's format thanks to a template  (add the Source IP at the 
> beginning of the message)
> 
> Windows Host3 processes the incoming udp messages.
> 
> 
> I have managed to make it work, that is, messages generated on Host1 
> with the logger command are successfully received on Host3. 
> Nevertheless, it looks like all the messages reaching my Host3 have the 
> facility/priority User.notice, instead of the original one.
> 
> Here are some parts of my configuration :
> -------on Host1:
> 
> #filter for user facility - for tests
> filter f_user {facility(user); };
> 
> destination host2 {udp("IP.Address.of.Host2");};
> log{ source(src); filter(f_user);destination( host2 );
> };
> 
> ------on Host2
> # syslog full redirection to Thibaud's machine
> destination host3 { udp("IP.ADDRESSE:OF:HOST" template("$SOURCEIP 
> $MSG\n")); };
> 
> source s_udp {udp();};
> 
> log { source(s_udp); destination ( host3 ); };
> 
> 
> I generate messages on host1 with the command logger -p user.warning 
> "message warning test"
> 
> Is there anything I am doing wrong? Could changing the template make the 
> message lose information about Facility and Level?
> 
> Thanks in advance
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 



More information about the syslog-ng mailing list