[syslog-ng] Syslog-ng + graylog2 destination

László Pál vlad at vlad.hu
Mon Oct 14 13:50:42 UTC 2019


Thank you. It seems this workaround has improved the situation a bit, however I still can see the reset logs from Graylog, so some other things must be wrong. The problem is I have no idea how to figure out which of my message sources are sending in-proper messages. These are mostly routers, but some of the firwalls (ASA) also sends logs to central syslog.

It seems GELF is very sensitive, so maybe in this case is better if I simply use syslog or json towards Graylog

Laszlo


> On 2019. Oct 14., at 15:09, Fabien Wernli <wernli at in2p3.fr> wrote:
> 
> Hi László,
> 
> On Mon, Oct 14, 2019 at 01:58:20PM +0200, László Pál wrote:
>> Oct 14 13:53:20 lumberjack syslog-ng[2174]: Casting error; value='', type-hint='int32'
> 
> It seems one of the fields you're sending should be an integer, but it's an
> empty string instead. If you look at the destination's code, you'll see that
> it uses the following format:
> 
>    template-function "format-gelf" "$(format-json version='1.1' host='${HOST}' short_message='${MSG}' level=int(${LEVEL_NUM}) timestamp=int64(${R_UNIXTIME}) _program='${PROGRAM}' _pid=int(${PID}) _facility='${FACILITY}' _class='${.classifier.class}' --key .* --key _*)$(binary 0x00)";
> 
> I'm suspecting that one of your macros ($LEVEL_NUM or $PID) is empty, due to a problem in syslog-format parsing. It's probably $PID, as the other one is automatically set.
> 
> If my theory is correct, try the following workaround:
> 
>  destination d_graylog_gelf {
>    channel {
>      rewrite {
>        set("${PID:-0}", value('PID'));
>      };
>    };
>    channel {
>      destination {
>        graylog2(
>          log_fifo_size(500000)
>          host("10.72.0.137")
>          transport (tcp)
>        );
>      };
>    };
>  };
> 
> This will set the PID to 0 if unset.
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 



More information about the syslog-ng mailing list