[syslog-ng] EWMM and sudo app-parser

Fabien Wernli wernli at in2p3.fr
Thu Aug 6 09:55:02 UTC 2020


Hi,

I'm investigating using the EWMM forwarding model.
Consider the following setup: Linux hosts collect logs using `system()`
send them over using `syslog-ng()` destination to a remote host that
collects them using `default-network-drivers()` source.

It seems to me that the sudo app parsing is fired up twice:

1. On the sender side because `system()` expands to something including the
   `sudo-parser()` SCL
2. On the receiver side because `default-network-drivers()` expands to
   something involving the `app-parser()`

This happens also when using `syslog()` source on the sender side, which is
why I noticed this behaviour.

So my question is, is there something wrong with that model ?



More information about the syslog-ng mailing list