[syslog-ng] Transparent TCP forward: what am I doing wrong?

Thu Jun 30 10:47:47 CEST 2011

Hi,

On Thu, Jun 30, 2011 at 10:12 AM, JP Vossen <jp at jpsdomain.org> wrote:
> I need to be able to accept TCP/514 and transparently forward it to
> UDP/514 on the same box.  I have a config that almost works, except I'm
> getting an "extra" time stamp and hostname on the TCP messages.
>
> I'm using Netcat to send:
> echo "<182>loop_test[$$]: LOOP testing 514 UDP, one ping only..." | nc
> -u -w1 192.168.1.151 514
> echo "<182>loop_test[$$]: LOOP testing 514 TCP, one ping only..." | nc
> 192.168.1.151 514
>
> I'm getting:
> <182>loop_test[11061]: LOOP testing 514 UDP, one ping only...
> <182>Jun 30 01:48:36 192.168.1.10 loop_test[11061]: LOOP testing 514
> TCP, one ping only...

this is expected behaviour

> I want:
> <182>loop_test[11061]: LOOP testing 514 UDP, one ping only...
> <182>loop_test[11061]: LOOP testing 514 TCP, one ping only...

syslog-ng could beoverkill for such a purpose, writing a few lines of
perl code could be easier...

> If I send the messages into syslog-ng or rsyslog, I get the correct data
> with no "extra" fields in the log file.  But unfortunately, I need to
> send messages into another proprietary syslog listener, and in that one
> I'm getting the extra fields.  I'd blame the whole mess on that, except
> that when I do a packet dump I do see the 2 extra fields in there.  So I
> *think* that syslog-ng and rsyslog are smart enough to handle them and
> my other thing isn't.

syslog-ng adds the timestamp and hostname fields by default. Many
people think that syslog daemons should accept random junk, but the
syslog daemon shouldn't be treated like a plain transport mechanism.
There are RFCs describing the syslog formats and the daemons should
enforce the standards.

> As I said, my goal is to receive TCP/514 and **transparently** forward
> logs with no changes, as if they came in via UDP, to the localhost via
> UDP/514.  In other words, I'm using syslog-ng as a shim to feed syslog
> over TCP to a listener which only listens on UDP.
>
> Why doesn't it work?  What totally obvious thing am I missing?  Am I
> doing anything else dumb?

Your incoming logs aren't properly formatted syslog messages so
syslog-ng has to guess which fields are present and which are missing
and adds the required fields. If you don't want this then tell
syslog-ng to don't parse the logs and then just use a custom template,
something like this:

source s_tcpincoming {
    tcp(
        ip(0.0.0.0) port(514) max_connections(1000)
        keep_timestamp(no)
        keep_hostname(no)
        flags(no-parse)
    );
};
destination d_fe_tcp {
    udp(
        "127.0.0.2" port(514)
        spoof_source(yes)
        template("${MESSAGE}\n")
    );
};
log {
    source(s_tcpincoming);
    # With no "filter" we get everything, which is what we want
    destination(d_fe_tcp);
};

hth,

Sandor