[syslog-ng] remove header

Jason Kojro-Badziak jbadziak at monolith-software.com
Wed May 23 18:05:02 CEST 2012


Try using something like this in your configuration file.  It is working for me and I was having the same issue.



	@version:3.2

	# syslog-ng configuration file.
	#
	# This should behave pretty much like the original syslog on RedHat. But
	# it could be configured a lot smarter.
	#
	# See syslog-ng(8) and syslog-ng.conf(5) for more information.
	#

	options {
		flush_lines(0);
		time_reopen(10);
		log_fifo_size(1000);
		long_hostnames(off);
		use_dns(no);
		use_fqdn(no);
		create_dirs(no);
		keep_hostname(yes);
		chain_hostnames(no);
	};

	source s_syslog_in {
	#	udp(ip(IP ADDRESS TO LISTEN ON.  0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON));
		udp(ip(0.0.0.0) port(514) flags(no-parse));
	};

	template t_log_template {
		template("Message Received: BSDTAG => $BSDTAG, DATE => $DATE, DAY => $DAY, FACILITY => $FACILITY, FACILITY_NUM => $FACILITY_NUM, FULLDATE => $FULLDATE, FULLHOST => $FULLHOST, FULLHOST_FROM => $FULLHOST_FROM, HOUR => $HOUR, HOST => $HOST, HOST_FROM => $HOST_FROM, ISODATE => $ISODATE, LEVEL_NUM => $LEVEL_NUM, MIN => $MIN, MONTH => $MONTH, MONTH_ABBREV => $MONTH_ABBREV, MONTH_NAME => $MONTH_NAME, MONTH_WEEK => $MONTH_WEEK, MSG => $MSG, MSGHDR => $MSGHDR, MSGID => $MSGID, MSGONLY => $MSGONLY, PID => $PID, PRI => $PRI, PRIORITY => $PRIORITY, PROGRAM => $PROGRAM, SDATA => $SDATA, SEC => $SEC, SEQNUM => $SEQNUM, SOURCEIP => $SOURCEIP, STAMP => $STAMP, TAG => $TAG, TAGS => $TAGS, TZ => $TZ, TZOFFSET => $TZOFFSET, UNIXTIME => $UNIXTIME, YEAR => $YEAR, WEEK => $WEEK, WEEK_ABBREV => $WEEK_ABBREV, WEEK_DAY => $WEEK_DAY, WEEKDAY => $WEEKDAY, WEEK_DAY_NAME => $WEEK_DAY_NAME\n\n"); 
		template_escape(no); 
	};

	destination d_syslog_file { 
	# copy syslog message to file
		file("/opt/logs/syslog-ng-$YEAR-$MONTH-$DAY.log" template(t_log_template));
	};

	log { source(s_syslog_in); destination(d_syslog_file); };



After this runs a few times, look in the log file and see which of the variables (the things in all caps before the "=>" symbols) have the data you need.  It will more than likely be in the "$MSG" field, which you can then use in a template to forward the data.  As an example, here is what my configuration file looks like:


	@version:3.2

	# syslog-ng configuration file.
	#
	# This should behave pretty much like the original syslog on RedHat. But
	# it could be configured a lot smarter.
	#
	# See syslog-ng(8) and syslog-ng.conf(5) for more information.
	#

	options {
		flush_lines(0);
		time_reopen(10);
		log_fifo_size(1000);
		long_hostnames(off);
		use_dns(no);
		use_fqdn(no);
		create_dirs(no);
		keep_hostname(yes);
		chain_hostnames(no);
	};

	source s_syslog_in {
	#	udp(ip(IP ADDRESS TO LISTEN ON.  0.0.0.0 = LISTEN ON ALL IPS) port(PORT TO LISTEN ON));
		udp(ip(0.0.0.0) port(514) flags(no-parse));
	};

	template t_send_syslog_template {
		template("$MSG"); template_escape(no); 
	};

	destination d_syslog_out { 
		# udp("IP ADDRESS/DOMAIN NAME TO SEND TO" port(PORT TO SEND TO) template(TEMPLATE TO USE) spoof-source(YES/NO));
		udp("IP ADDRESS/DOMAIN NAME TO SEND TO " port(514) template(t_send_syslog_template) spoof-source(yes));
	};

	log { source(s_syslog_in); destination(d_syslog_out); };






Thank you!

Jason Kojro-Badziak
Monolith Software
Staff Engineer
311 North 2nd Street, Suite #302
St. Charles, IL 60174
Office:  312-957-6470 x3010
Email:  jbadziak at monolith-software.com

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of C. L. Martinez
Sent: Wednesday, May 23, 2012 12:53 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] remove header

On Tue, May 22, 2012 at 11:25 PM, Richard F. Hart II <richard.hartii at gmail.com> wrote:
> I have a juniper srx that is sending its syslogs to a syslog-ng 
> server. Then I am having the syslog-ng server forward those juniper 
> syslog messages to NItroSecurity ESM. However, I am having some difficutly.
> The syslog-ng server is appending a header to the beginning of the 
> juniper syslog message when it sends it to the NitroSecurity ESM. How 
> can I tell syslog-ng not to append its header to the beginning of the message?
>
> Here is a sample:
>
> <14>May 22 08:31:03 syslog-ng.example.com  2012-05-22T08:28:48.548 
> Juniper-SRX RT_FLOW - RT_FLOW_SESSION_CREATE [junos at 2636.1.1.1.2.34 
> source-address="192.168.1.34" source-port="40944"
> destination-address="4.2.2.2" destination-port="1984" service-name="None"
> nat-source-address="192.168.1.34" nat-source-port="40944"
> nat-destination-address="4.2.2.2" nat-destination-port="1984"
> src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6"
> policy-name="175008" source-zone-name="legacy" destination-zone-name="t-a"
> session-id-32="220372159" username="N/A" roles="N/A"
> packet-incoming-interface="reth4.0"]
>
>
> How do I stop syslog-ng from appending the underlined section?
>
> Thank you,
> Richard

What header?? I have a juniper SRX that forwards all logs to a rsyslog instance and log is exactly to this ...
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



More information about the syslog-ng mailing list