[syslog-ng] Syslog-ng open source version -- program_override option

[Balazs Scheidler]

On Wed, 2009-08-12 at 14:24 +0530, Jain, Vaibhav (GE Healthcare) wrote:
> Hi Bazsi,
> 
> I want to send all the log messages from client machine to server mahine
> in the same file. I have installed the syslog-ng client on client
> machine and syslog-ng server on server. I am passing the source file
> name with the log message using FILE_NAME and template. And I am
> receiveing the log message on server side. And using match macro I am
> pushing log messages in the file name present in the log message. But
> now on the server side the log message is actual mesg + file name.so I
> want to delete the file name from the received mesg. So that the
> received mesg would be same as original messsge. The use of file name in
> the message is only to detemine the source file name. So that I can push
> the log in the same file in the server side. ( basically same file name
> replica on cline side and server side )
> 
> Example => 
> 
> 
> Clinet = org mesg + file name
>      |
>      |
> Server side = extract / mactch the file name from the received mesg and
> push the original mesg in that log file with out file name in the mesg
> content
> 
> Let me know how to remove the filename string from the received mesg so
> that I can get the actual mesg?

Well, this is certainly possible, but I'd like to raise one possible
security issue with your configuration: you use the contents of the log
message to generate a filename. Are you sure that you constrain these
filenames to a sensible name on the server host? e.g what happens if you
receive /etc/passwd as the source filename, are you going to
overwrite /etc/passwd?

Other than that you can remove the filename information by using a
rewrite rule on the server side:

rewrite xxx { subst("^[0-9a-zA-Z/_]+: (.*$)", "$1")); };

this is untested and I assume here that the message begins with the
filename and a filename contains "a-zA-Z0-9/_" characters.

-- 
Bazsi