[syslog-ng] EWMM and sudo app-parser
Fabien Wernli
wernli at in2p3.fr
Thu Aug 6 09:55:02 UTC 2020
Hi,
I'm investigating using the EWMM forwarding model.
Consider the following setup: Linux hosts collect logs using `system()`
send them over using `syslog-ng()` destination to a remote host that
collects them using `default-network-drivers()` source.
It seems to me that the sudo app parsing is fired up twice:
1. On the sender side because `system()` expands to something including the
`sudo-parser()` SCL
2. On the receiver side because `default-network-drivers()` expands to
something involving the `app-parser()`
This happens also when using `syslog()` source on the sender side, which is
why I noticed this behaviour.
So my question is, is there something wrong with that model ?
More information about the syslog-ng
mailing list