[syslog-ng] Fwd: facility override

Alexandre Santos alexandre.rosas.santos at gmail.com
Mon Mar 9 12:41:37 UTC 2020 

Hi,

I tried to rewrite PRI but the macro is not writable:
Mar 09 11:27:31 localhost syslog-ng[31986]: Error parsing rewrite
expression, PRI is read-only, it cannot be changed in rewrite rules in
/etc/syslog-ng/syslog-ng.conf:
Mar 09 11:27:31 localhost syslog-ng[31986]: 359     };
Mar 09 11:27:31 localhost syslog-ng[31986]: 360     # end of localFile:
netconf-commands
Mar 09 11:27:31 localhost syslog-ng[31986]: 361
Mar 09 11:27:31 localhost syslog-ng[31986]: 362
Mar 09 11:27:31 localhost syslog-ng[31986]: 363     # remote: test
Mar 09 11:27:31 localhost syslog-ng[31986]: 364---> rewrite
r_pri{set("189", value("PRI"));};
Mar 09 11:27:31 localhost syslog-ng[31986]: 364--->
            ^
Mar 09 11:27:31 localhost syslog-ng[31986]: 365     destination d_test_udp {
Mar 09 11:27:31 localhost syslog-ng[31986]: 366
syslog("192.168.122.1" transport("udp") ip-protocol(4) port(514)
Mar 09 11:27:31 localhost syslog-ng[31986]: 367             suppress(5)
Mar 09 11:27:31 localhost syslog-ng[31986]: 368             disk-buffer(
Mar 09 11:27:31 localhost syslog-ng[31986]: 369
mem-buf-size(2097152)

I tried to use the following configuration to make a facility override
local0 -> local7:

# remote: test
template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if
('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if
('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if
('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1'
'<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' ==
'') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}"); };
destination d_test_udp {
    network("192.168.122.1" transport("udp") ip-protocol(4) port(514)
        template ("t_test")
    );
};
filter f_remote_test_udp_local0 {
    facility(local0) and level(debug .. emerg);
};
log {
    source(s_src);
    filter(f_remote_test_udp_local0);
    destination(d_test_udp);
    flags(flow-control);
};
# end of remote server: test

The problem is that I get a double header in the syslog server:
Mar  9 11:41:52 127.0.0.1 root[31353] <190>1 2020-03-09T11:41:52+00:00
127.0.0.1 root 31353 - - This is a Test 6
Mar  9 11:41:53 127.0.0.1 root[31404] <190>1 2020-03-09T11:41:53+00:00
127.0.0.1 root 31404 - - This is a Test 7
Mar  9 11:41:53 127.0.0.1 root[31448] <190>1 2020-03-09T11:41:53+00:00
127.0.0.1 root 31448 - - This is a Test 8
Mar  9 11:41:54 127.0.0.1 root[31449] <190>1 2020-03-09T11:41:54+00:00
127.0.0.1 root 31449 - - This is a Test 9
Mar  9 11:41:54 127.0.0.1 root[31468] <190>1 2020-03-09T11:41:54+00:00
127.0.0.1 root 31468 - - This is a Test 10
Mar  9 11:41:55 127.0.0.1 root[31485] <190>1 2020-03-09T11:41:55+00:00
127.0.0.1 root 31485 - - This is a Test 11
Mar  9 11:41:55 127.0.0.1 root[31526] <190>1 2020-03-09T11:41:55+00:00
127.0.0.1 root 31526 - - This is a Test 12
Mar  9 11:41:55 127.0.0.1 root[31567] <190>1 2020-03-09T11:41:55+00:00
127.0.0.1 root 31567 - - This is a Test 13

Can you help me?

Thanks and regards,
Alex


On Mon, Jan 20, 2020 at 07:49 AM Attila Szakacs (aszakacs)  <
Attila.Szakacs at oneidentity.com> wrote:

> Hi Alex,
>
> I think ${PRI} does exactly that.
>
> PRI
> Description: The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.
>
> Regards,
> Attila
> ________________________________
> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com <https://lists.balabit.hu/mailman/listinfo/syslog-ng>>
> Sent: Friday, January 17, 2020 7:56 PM
> To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>>
> Subject: [syslog-ng] facility override
>
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>
> Hi,
>
> Is there a way of overriding the facility of the messages on the destination, besides using a template like:
> { template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4` ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };
>
> Thanks in advance,
> Alex
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200120/7576c3cb/attachment.html>
>
>
> On Fri, Jan 17, 2020 at 6:56 PM Alexandre Santos <
> alexandre.rosas.santos at gmail.com> wrote:
>
>> Hi,
>>
>> Is there a way of overriding the facility of the messages on the
>> destination, besides using a template like:
>> { template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' ==
>> '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4`
>> ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };
>>
>> Thanks in advance,
>> Alex
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200309/53de5cb7/attachment.html>

More information about the syslog-ng mailing list