[syslog-ng] Transparent TCP forward: what am I doing wrong?

JP Vossen jp at jpsdomain.org
Thu Jun 30 10:12:28 CEST 2011 

I need to be able to accept TCP/514 and transparently forward it to 
UDP/514 on the same box.  I have a config that almost works, except I'm 
getting an "extra" time stamp and hostname on the TCP messages.

I'm using Netcat to send:
echo "<182>loop_test[$$]: LOOP testing 514 UDP, one ping only..." | nc 
-u -w1 192.168.1.151 514
echo "<182>loop_test[$$]: LOOP testing 514 TCP, one ping only..." | nc 
192.168.1.151 514

I'm getting:
<182>loop_test[11061]: LOOP testing 514 UDP, one ping only...
<182>Jun 30 01:48:36 192.168.1.10 loop_test[11061]: LOOP testing 514 
TCP, one ping only...

I want:
<182>loop_test[11061]: LOOP testing 514 UDP, one ping only...
<182>loop_test[11061]: LOOP testing 514 TCP, one ping only...

If I send the messages into syslog-ng or rsyslog, I get the correct data 
with no "extra" fields in the log file.  But unfortunately, I need to 
send messages into another proprietary syslog listener, and in that one 
I'm getting the extra fields.  I'd blame the whole mess on that, except 
that when I do a packet dump I do see the 2 extra fields in there.  So I 
*think* that syslog-ng and rsyslog are smart enough to handle them and 
my other thing isn't.

I'm already using keep_timestamp(no) and keep_hostname(no) but they have 
no effect I've been able to detect.  I've tried commented out, set to 
yes and set to no, but no matter what I get the 2 extra fields.

I've also tried syslog-ng 3.0.8 and 3.2.4, same effect.

This is the relevant part of the syslog-ng config I'm using:

####### BEGIN: Forward TCP syslog
source s_tcpincoming {
     tcp(
         ip(0.0.0.0) port(514) max_connections(1000)
         keep_timestamp(no)
         keep_hostname(no)
     );
};
destination d_fe_tcp {
     udp(
         "127.0.0.2" port(514)
         spoof_source(yes)
     );
};
log {
     source(s_tcpincoming);
     # With no "filter" we get everything, which is what we want
     destination(d_fe_tcp);
};
####### END:   Forward TCP syslog

As I said, my goal is to receive TCP/514 and **transparently** forward 
logs with no changes, as if they came in via UDP, to the localhost via 
UDP/514.  In other words, I'm using syslog-ng as a shim to feed syslog 
over TCP to a listener which only listens on UDP.

Why doesn't it work?  What totally obvious thing am I missing?  Am I 
doing anything else dumb?

TIA,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.

More information about the syslog-ng mailing list