[syslog-ng] Syslog proxy/relay encapsulates

Balazs Scheidler bazsi77 at gmail.com
Sun Sep 7 10:01:10 CEST 2014


Hi,

Sure. As it seems you are using no-parse on the server side which puts the
entire syslog record with headers and stuff into $MSG.

If you transfer messages with the syslog() driver, you need a matching
syslog() source on the other side. Then if you only want the MSG in your
log file, just use a template("$MSG") on the server side.

You can configure various things at reception in syslog-ng, and you need to
decide what options to use at each of the hops the message is traveling:

1. Application to syslog-ng on the client: in your sample it was the normal
syslog API

2. Syslog-ng to syslog-ng: your sample was rfc5424, receiving via a
no-parse network destination.

3. When syslog-ng writes the file to disk.

With syslog-ng you can customize how to send stuff but also how to parse it.

The easiest use case to let literal messages transferred to the server side:

* app writing messages to a file/named pipe
* syslog-ng reading this via flags(no-parse)
* transferring messages using any of the transport options (syslog,
network) to a dedicated port (eg. One which is not merged with normal
syslog)
* on the server side, write these to a file with template("$MSG\n")

There are other ways for sure (for instance instead of a dedicated port you
could use filtering on the server if you can identify these messages
easily).

Hope this helps.
Bazsi

On Sep 6, 2014 11:06 PM, "Michael Yacc" <yuolvka at gmail.com> wrote:
>
> Dear all,
> I'm trying  to configure syslog-ng as relay/proxy server. Seems to be
simple, but syslog server recieves encapsulated original syslog messages
within outgoing "syslog-relay" messages.
> Is there any way to configure syslog-ng (relay) to just forward orignal
messages to syslog server?
>
> Syslog-ng version used: 3.3.9
>
> syslog-client$ logger "hello from syslog client"
>
> on syslog-relay I added the following configuration:
>>
>> ######## sources ###############
>> source s_relay_port {
>>         udp(ip(0.0.0.0) port(514));
>> };
>>
>> ######## destinations ###############
>> destination d_syslog_server {
>>         syslog("syslog-server" transport("udp") port(514));
>> };
>>
>> ######## logging ###############
>> log {
>>         source(s_relay_port);
>>         destination(d_syslog_server);
>> };
>
>
> syslog-server$ tail -F /var/log/syslog
>>>
>>> Sep  6 23:53:28 syslog-relay-ip 1 2014-09-06T23:53:28+03:00
syslog-client-ip 1 - - - 2014-09-06T23:53:28+03:00 syslog-client-hostname
root - - [meta sequenceId="38"] hello from syslog client
>>
>>
> With best regards,
> Michael Yacc
>
>
______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140907/e56f5407/attachment.htm 


More information about the syslog-ng mailing list