[syslog-ng] Syslog-ng relay: is it possible to modify or delete META SEQUENCE DATA added automaticaly?

alain.villefranque at orange.com alain.villefranque at orange.com
Wed Nov 29 10:41:55 UTC 2017 

Hi,

I experience a pb with the syslog-ng relay that is used in this way:

Syslog-relay gather syslog network messages from different sources (legacy RFC 3164 msg )  and send these messages to a central syslog server.

The central Syslog server accepts only message with a strict format:only value in green can be modified.

<174>1 time_Norme_ISO8601 fqdn syslog-ng 007 - [meta sequenceid=xxxx][bbtlog at 1009 bias="titi" platform="prod" produit="ppup" logfile="rtlog.sta" rtlog-river="rtl"]  Message

With success, I managed to write and modify incoming messages and store them locally in log files with the awaited server format.
I used filters, rewrite_set to change the hostname and template to format the received message to the expected format.
We don't use meta sequenceid, so we decided to write a non variant value 0000.

template("<174>1 ${ISODATE} ${HOST} syslog-ng 007 - [meta sequenceid="0000"] [bblog at 1009...] ${MSG}\n");

Now, the deal is to transfer the new line of the log file to the central syslog server.
I use a "source" tail file to send the new messages and one new syslog remote destination to redirect the message to the syslog server

Here is the message as depicted in TCPDUMP:

inpavlog1i-ad.62163 > 10.114.181.43.syslog: SYSLOG, length: 379
        Facility local5 (21), Severity info (6)
        Msg: 1 2017-11-29T10:17:57+01:00 inxipmgt.creteil.francetelecom.fr syslog-ng 007 - [meta sequenceId="1" sequencid="0000"][rtlog at 1368 basicat="xip" platform="prod" produit="pexip" logfile="rtlog.sta" rtlog-river="rtl"] 10:17:57,686 Level="INFO" Name="administrator.system.configuration" Message="Conferencing node configuration updated." Node="conf02.int.ovp.orange-business.com"\0x0a

So I have an issue with the field [meta sequenceid...] which automatically doubled/added to the previous...(0000) .


If I modify the template by deleting the field [meta sequenceid="0000"],
template("<174>1 ${ISODATE} ${HOST} syslog-ng 007 -  [bblog at 1009...] ${MSG}\n");

The result is so that the syslogng-relay add the [meta sequenceId="xxxx"] after the first meta sequence field and write the message with an upper case "I" .
This is not accepted by the central server. I suspect also that the location in the frame could have an impact.
Here is the tcpdump:
inpavlog1i-ad.62163 > 10.114.181.43.syslog: SYSLOG, length: 379
        Facility local5 (21), Severity info (6)
        Msg: 1 2017-11-29T10:17:57+01:00 inxipmgt.creteil.francetelecom.fr syslog-ng 007 - [rtlog at 1368 basicat="xip" platform="prod" produit="pexip" logfile="rtlog.sta" rtlog-river="rtl"][meta sequenceId="1"] 10:17:57,686 Level="INFO" Name="administrator.system.configuration" Message="Conferencing node configuration updated." Node="conf02.int.ovp.orange-business.com"\0x0a


As I don't use this meta field, is it possible to configure syslog-ng relay not add automatically this field [meta sequenceId="XX"] or to delete it with a command?

Regards

Alain



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171129/8681be6d/attachment.html>

More information about the syslog-ng mailing list