[syslog-ng] Remote server not keeping message intact

[Evan Rempel]

I am not 100% sure of this, but I think that the no-parse flag places 
the line
into the message portion and spoofs the all of the prefix elements such as
priority, facility, host, and date, but still processes the PROGRAM and 
the MSG.

If you try using a template of

templete apache {
     template("$PROGRAM $MESSAGE\n");
     template-escape(no");
};

I think you might have better success.

Evan.

On 11/12/2015 12:34 AM, Gareth Allen wrote:
> Hi all
>
> I'm sending Apache logs to a remote syslog-ng server, but the remote
> server isn't keeping the message intact.
>
> Source:
> My Apache log format:
> LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
> What the log looks like:
> 172.27.15.149 - - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200
> 3594 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
>
> My syslog-ng configuration:
> source s_apache {
>   file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
>   };
>
> destination d_apache_tcp {
>   tcp("x.x.x.x" port(514));
> };
>
> log { source(s_apache); destination(d_apache_tcp); };
>
> Log server:
> source s_net {
>          udp(port(514));
>          tcp(port(514));
> };
>
> template apache {
>      template("${MESSAGE}\n");
>      template-escape(no);
> };
>
> destination apache {
>      file("/var/log/apachetest" template(apache));
> };
>
> What I see in /var/log/apachetest:
> - - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200 3594 "-"
> "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/46.0.2490.71 Safari/537.36"
>
> As you can see the IP at the beginning of the log entry is being
> removed.  I've tried using $MSG and $MSGONLY.
>
> Any ideas would be greatly appreciated.
> Gareth