[syslog-ng] Syslog-ng Questions

Scheidler, Balázs balazs.scheidler at balabit.com
Wed Feb 22 18:51:13 UTC 2017


The syslog-parser() should set the program field based in the input, and
your configuration seems correct at a first glance.

Can you perhaps set debug mode (-d from command line) and copy paste the
output genetated by a debug message?

Also pls supply your syslog-ng version.

Thanks

On Feb 22, 2017 17:24, <hurling69 at yahoo.com> wrote:

> Thanks for the information. I have another issue that has come up relating
> to the PROGRAM macro.
>
> *When I configure it like this, the PROGRAM macro works properly and gets
> the proper tag from the client:*
> ------------------------------
> source s_syslog-ports {
>         # Configure the network() driver for receiving RFC3164 logs
>         network(transport("udp") ip(10.25.10.52) port(514));
>         network(transport("tcp") ip(10.25.10.52) port(514)
> max-connections(100));
>         network(transport("tcp") ip(10.25.10.52) port(1514)
> max-connections(100));
> };
>
> filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt",
> value("SOURCEIP")); };
> destination d_Linux-centos {file("/var/log/IT/server/
> Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log"
> template(t_message-only));};
> log {source(s_syslog-ports); filter(f_Linux-centos);
> destination(d_Linux-centos);};
>
>
> *Then, when I change the configuration to this, the PROGRAM macro no
> longer gets the same proper tag value from the client:*
> ------------------------------
> source s_syslog-ports {
>         # Configure the network() driver for receiving RFC3164 logs
>         network(transport("udp") ip(10.25.10.52) port(514));
>         network(transport("tcp") ip(10.25.10.52) port(514)
> max-connections(100));
>         network(transport("tcp") ip(10.25.10.52) port(1514)
> max-connections(100) *flags(no-parse)*);
> };
>
> filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt",
> value("SOURCEIP")); };
> destination d_Linux-centos {file("/var/log/IT/server/
> Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log"
> template(t_message-only));};
> log {source(s_syslog-ports); *junction { channel {*
> filter(f_Linux-centos); *parser { syslog-parser(); }; flags(final); }; };*
> destination(d_Linux-centos);};
>
> Is there a way to configure the no-parse and junction option while still
> getting the correct PROGRAM macro data?
>
> Thanks.
>
>
> On Wednesday, February 22, 2017 8:04 AM, "Fekete, Róbert" <
> robert.fekete at balabit.com> wrote:
>
>
> Hi,
>
> To achieve something like that, you have to use junctions.
> You'll have one source with flags(no-parse), then embed a filter+parser
> junction to process regular syslog messages, and another junction to
> process the ones you cannot parse.
>
> For details, see the 8.3 example at https://www.balabit.com/
> documents/syslog-ng-ose- latest-guides/en/syslog-ng- ose-guide-admin/html/
> junctions.html and https://www.balabit.com/documents/
> syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/
> html/parser-syslog.html
>
> HTH,
>
> Robert
>
> On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <
> syslog-ng at balabit.com> wrote:
>
>
> Is it possible to configure multiple sources, one with flags(no-parse) and
> one without?
>
> e.g.
>
> source *s_syslog-ports* {
>         udp(port(514));
>         tcp(port(1514) max-connections(100));
>         tcp(port(514) max-connections(100));
> };
>
> source *s_syslog_np-ports *{
>         udp(port(514) flags(no-parse));
>         tcp(port(1514) max-connections(100) flags(no-parse));
>         tcp(port(514) max-connections(100) flags(no-parse));
> };
>
> filter f_Cisco-router { in-list("/etc/syslog-ng/ filter/Cisco-router.txt",
> value("SOURCEIP")); };
> destination d_Cisco-router {file("/var/log/IT/network/
> router/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log"
> template(t_message-only));};
> log {source(*s_syslog-ports*); filter(f_Cisco-router);
> destination(d_Cisco-router);};
>
> filter f_Cisco-switch { in-list("/etc/syslog-ng/ filter/Cisco-switch.txt",
> value("SOURCEIP")); };
> destination d_Cisco-switch {file("/var/log/IT/network/
> switch/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log"
> template(t_message-only));};
> log {source(*s_syslog_np-ports*); filter(f_Cisco-switch);
> destination(d_Cisco-switch);};
>
> Whenever I do this, I get an error message when restarting the service.
> “Job for syslog-ng.service failed because the control process exited with
> error code. See "systemctl status syslog-ng.service" and "journalctl -xe"
> for details.”
> “Cannot add dependency job for unit microcode.service, ignoring: Unit is
> not loaded properly: Invalid argument.”
>
>
>
> ______________________________ ______________________________
> __________________
> Member info: https://lists.balabit.hu/ mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/ support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/ syslog-ng-faq
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170222/2f1f7dfd/attachment.html>


More information about the syslog-ng mailing list