[syslog-ng] facility override

Mon Mar 9 14:46:05 UTC 2020

Hi, Got the problem

I was missing a "\n" at the end of the template:

template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if
('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if
('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if
('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1'
'<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' ==
'') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}\n");
};

Cheers,
Alex

On Mon, Mar 9, 2020 at 12:41 PM Alexandre Santos <
alexandre.rosas.santos at gmail.com> wrote:

>
> Hi,
>
> I tried to rewrite PRI but the macro is not writable:
> Mar 09 11:27:31 localhost syslog-ng[31986]: Error parsing rewrite
> expression, PRI is read-only, it cannot be changed in rewrite rules in
> /etc/syslog-ng/syslog-ng.conf:
> Mar 09 11:27:31 localhost syslog-ng[31986]: 359     };
> Mar 09 11:27:31 localhost syslog-ng[31986]: 360     # end of localFile:
> netconf-commands
> Mar 09 11:27:31 localhost syslog-ng[31986]: 361
> Mar 09 11:27:31 localhost syslog-ng[31986]: 362
> Mar 09 11:27:31 localhost syslog-ng[31986]: 363     # remote: test
> Mar 09 11:27:31 localhost syslog-ng[31986]: 364---> rewrite
> r_pri{set("189", value("PRI"));};
> Mar 09 11:27:31 localhost syslog-ng[31986]: 364--->
>               ^
> Mar 09 11:27:31 localhost syslog-ng[31986]: 365     destination d_test_udp
> {
> Mar 09 11:27:31 localhost syslog-ng[31986]: 366
> syslog("192.168.122.1" transport("udp") ip-protocol(4) port(514)
> Mar 09 11:27:31 localhost syslog-ng[31986]: 367             suppress(5)
> Mar 09 11:27:31 localhost syslog-ng[31986]: 368             disk-buffer(
> Mar 09 11:27:31 localhost syslog-ng[31986]: 369
> mem-buf-size(2097152)
>
> I tried to use the following configuration to make a facility override
> local0 -> local7:
>
> # remote: test
> template t_test { template("$(if ('${LEVEL_NUM}' == '0') '<184>1' $(if
> ('${LEVEL_NUM}' == '1') '<185>1' $(if ('${LEVEL_NUM}' == '2') '<186>1' $(if
> ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' $(if
> ('${LEVEL_NUM}' == '5') '<189>1' $(if ('${LEVEL_NUM}' == '6') '<190>1'
> '<191>1' ))))))) ${ISODATE} ${HOST} ${PROGRAM} ${PID} $(if ('${MSGID}' ==
> '') '-' '${MSGID}') $(if ('${SDATA}' == '') '-' '${SDATA}') ${MESSAGE}"); };
> destination d_test_udp {
>     network("192.168.122.1" transport("udp") ip-protocol(4) port(514)
>         template ("t_test")
>     );
> };
> filter f_remote_test_udp_local0 {
>     facility(local0) and level(debug .. emerg);
> };
> log {
>     source(s_src);
>     filter(f_remote_test_udp_local0);
>     destination(d_test_udp);
>     flags(flow-control);
> };
> # end of remote server: test
>
> The problem is that I get a double header in the syslog server:
> Mar  9 11:41:52 127.0.0.1 root[31353] <190>1 2020-03-09T11:41:52+00:00
> 127.0.0.1 root 31353 - - This is a Test 6
> Mar  9 11:41:53 127.0.0.1 root[31404] <190>1 2020-03-09T11:41:53+00:00
> 127.0.0.1 root 31404 - - This is a Test 7
> Mar  9 11:41:53 127.0.0.1 root[31448] <190>1 2020-03-09T11:41:53+00:00
> 127.0.0.1 root 31448 - - This is a Test 8
> Mar  9 11:41:54 127.0.0.1 root[31449] <190>1 2020-03-09T11:41:54+00:00
> 127.0.0.1 root 31449 - - This is a Test 9
> Mar  9 11:41:54 127.0.0.1 root[31468] <190>1 2020-03-09T11:41:54+00:00
> 127.0.0.1 root 31468 - - This is a Test 10
> Mar  9 11:41:55 127.0.0.1 root[31485] <190>1 2020-03-09T11:41:55+00:00
> 127.0.0.1 root 31485 - - This is a Test 11
> Mar  9 11:41:55 127.0.0.1 root[31526] <190>1 2020-03-09T11:41:55+00:00
> 127.0.0.1 root 31526 - - This is a Test 12
> Mar  9 11:41:55 127.0.0.1 root[31567] <190>1 2020-03-09T11:41:55+00:00
> 127.0.0.1 root 31567 - - This is a Test 13
>
> Can you help me?
>
> Thanks and regards,
> Alex
>
>
> On Mon, Jan 20, 2020 at 07:49 AM Attila Szakacs (aszakacs)  <
> Attila.Szakacs at oneidentity.com> wrote:
>
>> Hi Alex,
>>
>> I think ${PRI} does exactly that.
>>
>> PRI
>> Description: The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.
>>
>> Regards,
>> Attila
>> ________________________________
>> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com <https://lists.balabit.hu/mailman/listinfo/syslog-ng>>
>> Sent: Friday, January 17, 2020 7:56 PM
>> To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu <https://lists.balabit.hu/mailman/listinfo/syslog-ng>>
>> Subject: [syslog-ng] facility override
>>
>> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>>
>> Hi,
>>
>> Is there a way of overriding the facility of the messages on the destination, besides using a template like:
>> { template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}' == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4` ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };
>>
>> Thanks in advance,
>> Alex
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200120/7576c3cb/attachment.html>
>>
>>
>> On Fri, Jan 17, 2020 at 6:56 PM Alexandre Santos <
>> alexandre.rosas.santos at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Is there a way of overriding the facility of the messages on the
>>> destination, besides using a template like:
>>> { template("$(if ('${LEVEL_NUM}' == '2') '<186>1' $(if ('${LEVEL_NUM}'
>>> == '3') '<187>1' $(if ('${LEVEL_NUM}' == '4') '<188>1' ${HOST}\\@`HOSTIPV4`
>>> ${PROGRAM} ${PID} ${SDATA} ${MESSAGE}\n"); };
>>>
>>> Thanks in advance,
>>> Alex
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200309/5800500d/attachment-0001.html>