[syslog-ng] Syslog-ng + graylog2 destination

Mon Oct 14 14:00:28 UTC 2019

On Mon, Oct 14, 2019 at 03:50:42PM +0200, László Pál wrote:
> Thank you. It seems this workaround has improved the situation a bit, however I still can see the reset logs from Graylog, so some other things must be wrong. The problem is I have no idea how to figure out which of my message sources are sending in-proper messages. These are mostly routers, but some of the firwalls (ASA) also sends logs to central syslog.
> 
> It seems GELF is very sensitive, so maybe in this case is better if I simply use syslog or json towards Graylog

It's already what happens behind the scenes, as graylog2() is just an SCL wrapper of network().
You could experiment other templates by overriding the default. Here's an example that sets default values for all macros (in case they're absent):

     destination d_graylog_gelf {
       graylog2(
         log_fifo_size(500000)
         host("10.72.0.137")
         transport (tcp)
         template("$(format-json version='1.1' host='${HOST:-none}' short_message='${MSG:-none}' level=int(${LEVEL_NUM:-0}) timestamp=int64(${R_UNIXTIME:-0}) _program='${PROGRAM:-none}' _pid=int(${PID:-0}) _facility='${FACILITY:-none}' _class='${.classifier.class:-none}' --key .* --key _*)$(binary 0x00)")
       );
     };