[syslog-ng] remove header
Jason Kojro-Badziak
jbadziak at monolith-software.com
Wed May 23 18:05:02 CEST 2012
Try using something like this in your configuration file. It is working for me and I was having the same issue.
@version:3.2
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
flush_lines(0);
time_reopen(10);
log_fifo_size(1000);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(no);
keep_hostname(yes);
chain_hostnames(no);
};
source s_syslog_in {
# udp(ip(IP ADDRESS TO LISTEN ON. 0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON));
udp(ip(0.0.0.0) port(514) flags(no-parse));
};
template t_log_template {
template("Message Received: BSDTAG => $BSDTAG, DATE => $DATE, DAY => $DAY, FACILITY => $FACILITY, FACILITY_NUM => $FACILITY_NUM, FULLDATE => $FULLDATE, FULLHOST => $FULLHOST, FULLHOST_FROM => $FULLHOST_FROM, HOUR => $HOUR, HOST => $HOST, HOST_FROM => $HOST_FROM, ISODATE => $ISODATE, LEVEL_NUM => $LEVEL_NUM, MIN => $MIN, MONTH => $MONTH, MONTH_ABBREV => $MONTH_ABBREV, MONTH_NAME => $MONTH_NAME, MONTH_WEEK => $MONTH_WEEK, MSG => $MSG, MSGHDR => $MSGHDR, MSGID => $MSGID, MSGONLY => $MSGONLY, PID => $PID, PRI => $PRI, PRIORITY => $PRIORITY, PROGRAM => $PROGRAM, SDATA => $SDATA, SEC => $SEC, SEQNUM => $SEQNUM, SOURCEIP => $SOURCEIP, STAMP => $STAMP, TAG => $TAG, TAGS => $TAGS, TZ => $TZ, TZOFFSET => $TZOFFSET, UNIXTIME => $UNIXTIME, YEAR => $YEAR, WEEK => $WEEK, WEEK_ABBREV => $WEEK_ABBREV, WEEK_DAY => $WEEK_DAY, WEEKDAY => $WEEKDAY, WEEK_DAY_NAME => $WEEK_DAY_NAME\n\n");
template_escape(no);
};
destination d_syslog_file {
# copy syslog message to file
file("/opt/logs/syslog-ng-$YEAR-$MONTH-$DAY.log" template(t_log_template));
};
log { source(s_syslog_in); destination(d_syslog_file); };
After this runs a few times, look in the log file and see which of the variables (the things in all caps before the "=>" symbols) have the data you need. It will more than likely be in the "$MSG" field, which you can then use in a template to forward the data. As an example, here is what my configuration file looks like:
@version:3.2
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
flush_lines(0);
time_reopen(10);
log_fifo_size(1000);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(no);
keep_hostname(yes);
chain_hostnames(no);
};
source s_syslog_in {
# udp(ip(IP ADDRESS TO LISTEN ON. 0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON));
udp(ip(0.0.0.0) port(514) flags(no-parse));
};
template t_send_syslog_template {
template("$MSG"); template_escape(no);
};
destination d_syslog_out {
# udp("IP ADDRESS/DOMAIN NAME TO SEND TO" port(PORT TO SEND TO) template(TEMPLATE TO USE) spoof-source(YES/NO));
udp("IP ADDRESS/DOMAIN NAME TO SEND TO " port(514) template(t_send_syslog_template) spoof-source(yes));
};
log { source(s_syslog_in); destination(d_syslog_out); };
Thank you!
Jason Kojro-Badziak
Monolith Software
Staff Engineer
311 North 2nd Street, Suite #302
St. Charles, IL 60174
Office: 312-957-6470 x3010
Email: jbadziak at monolith-software.com
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of C. L. Martinez
Sent: Wednesday, May 23, 2012 12:53 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] remove header
On Tue, May 22, 2012 at 11:25 PM, Richard F. Hart II <richard.hartii at gmail.com> wrote:
> I have a juniper srx that is sending its syslogs to a syslog-ng
> server. Then I am having the syslog-ng server forward those juniper
> syslog messages to NItroSecurity ESM. However, I am having some difficutly.
> The syslog-ng server is appending a header to the beginning of the
> juniper syslog message when it sends it to the NitroSecurity ESM. How
> can I tell syslog-ng not to append its header to the beginning of the message?
>
> Here is a sample:
>
> <14>May 22 08:31:03 syslog-ng.example.com 2012-05-22T08:28:48.548
> Juniper-SRX RT_FLOW - RT_FLOW_SESSION_CREATE [junos at 2636.1.1.1.2.34
> source-address="192.168.1.34" source-port="40944"
> destination-address="4.2.2.2" destination-port="1984" service-name="None"
> nat-source-address="192.168.1.34" nat-source-port="40944"
> nat-destination-address="4.2.2.2" nat-destination-port="1984"
> src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6"
> policy-name="175008" source-zone-name="legacy" destination-zone-name="t-a"
> session-id-32="220372159" username="N/A" roles="N/A"
> packet-incoming-interface="reth4.0"]
>
>
> How do I stop syslog-ng from appending the underlined section?
>
> Thank you,
> Richard
What header?? I have a juniper SRX that forwards all logs to a rsyslog instance and log is exactly to this ...
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list