[syslog-ng] Relay Server Config Help

wiskbroom at hotmail.com wiskbroom at hotmail.com
Thu Apr 27 19:27:27 UTC 2017

Thank you, that worked!

Vadim Anatoly Pushkin
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Scheidler, Bal√°zs <balazs.scheidler at balabit.com>
Sent: Thursday, April 27, 2017 12:25:59 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Relay Server Config Help

Your dmz syslog relay is using the "new" rfc5424 format whereas your internal one tries to parse it as rfc3164.

You should probably use the tcp() driver and not syslog().

On Apr 26, 2017 23:44, "wiskbroom at hotmail.com<mailto:wiskbroom at hotmail.com>" <wiskbroom at hotmail.com<mailto:wiskbroom at hotmail.com>> wrote:


I am running syslog-NG on a server inside of a DMZ, and on that server I'd like to just forward all messages into my internal syslog-NG server. I feel this is better than having to create a new firewall rule for each new DMZ node.

I have a simple syslog-NG config that looks like this:

---------START syslog-ng.conf-----------

@include "scl.conf"
@include "/etc/syslog-ng/conf.d/*.conf"

 options {
    chain_hostnames (off);
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
source s_relay {
         udp(ip( port(514) so_rcvbuf(425984));
         tcp(ip( port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
         syslog(ip( transport("tcp") port(1514) max-connections(500) log_iw_size(25000) flags("threaded") log_fetch_limit(100));

destination d_syslog_tcp { syslog("" transport("tcp") port(514)); };

log { source(s_relay); destination(d_syslog_tcp); };

----------END syslog-NG.conf-------------

The problem that I am experiencing is that my messages, once received by my internal syslog-NG server, look like the following:

Apr 26 17:31:06 relay-sng-server 126 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384  INFO: @2 SessionExchange::ProcessTCPRead
Apr 26 17:31:06 relay-sng-server 124 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384 DEBUG: OpenSSLHandler::PerformHandshake

I am hoping not to muck around too much with my config for my internal syslog-NG servers, and want for the messages above to appear as coming from relay-client-host-X and NOT relay-sng-server.

It could potentially be nice to know that the message was first received by relay-sng-server, but...

I was considering opening another TCP port on my internal syslog servers, and using that to send from DMZ, then a rewrite, but that all seems far more complicated than necessary.  Am I missing something on my syslog-NG conf?

Any suggestions greatly appreciated!

Thanks all in advance,


Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170427/4f6f2e31/attachment.html>

More information about the syslog-ng mailing list