[syslog-ng] Remote server not keeping message intact

Scheidler, Balázs balazs.scheidler at balabit.com
Thu Nov 12 16:47:37 CET 2015 

You have two options:

1) use a dedicated port on the server for non-syslog traffic, and also use
flags(no-parse) there

2) stick to using a standard transport, but then you should ensure that
clients send a complete syslog message there.

Although syslog-ng (on the client) does prepend a minimal header to your
apache log even without a template, it doesn't prepend a program name
explicitly, thus your on-wire apache log will look like this:

<pri>$DATE $HOST 172.27.15.149 - - [12/Nov/2015:08:30:59 +0000] "GET /
HTTP/1.1" 200...

This is standard syslog already and if you don't have a template on the
server, this would be reproduced completely. Anyway, the format above is
processed by syslog-ng on the server side as as an rfc3164 message, so it
will parse the IP address (172.27.15.149) as the program name (bloody
heuristics), but then you omitted that with your explicit template(), as
you only have ${MESSAGE} there.

So you have three options:

2.a) use template ("$MSGHDR$MSG\n") without the $DATE/$HOST macros on the
server, this would restore the IP address as part of $MSGHDR
2.b) prepend an application name on the client with an explicit template
2.c) use rfc5424 transport with the syslog() driver, that should keep the
$MSG intact as it has less heuristics on the server side to parse all
formats.

I would use 2.b or 2.c myself, or 1) if you have loads of non-syslog
traffic.


-- 
Bazsi

On Thu, Nov 12, 2015 at 11:26 AM, Sandor Geller <sandor.geller at ericsson.com>
wrote:

> On 11/12/2015 11:14 AM, Gareth Allen wrote:
>
> > The problem is I'd like to strip out the received timestamp and
> > hostname from the beginning of the log and only have the raw Apache
> > message.
>
> With the no-parse flag you already disabled syslog-ng's parser so you
> got the raw apache log on the sending side. However to ensure that the
> receiver gets the message intact a protocol-compliant on-wire format
> must get used. You seem to use the old RFC3164 format so try
>
> template("<30> $R_ISODATE $HOST $MSG\n")
>
> of course you can change the priority, timestamp and hostname fields to
> whatever suits you best.
>
> hth,
>
> Sandor
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151112/474dec67/attachment.htm

More information about the syslog-ng mailing list