[syslog-ng] syslog-ng has add extra field

Ivan Nepryahin - Bercut Ivan.Nepryahin at bercut.com
Thu Mar 25 15:38:28 UTC 2021 

Thanks for your reply, János !


If you can explain me please what does that mean?


>network(transport(tcp|udp))
>or
>syslog() or network(transport(tcp|udp) flags(syslog-protocol))





======================================================================


my config:


@version: 3.18
@include "scl.conf"

source s_local {
        internal();
};

source s_network {
        default-network-drivers(
                # NOTE: TLS support
                #
                # the default-network-drivers() source driver opens the TLS
                # enabled ports as well, however without an actual key/cert
                # pair they will not operate and syslog-ng would display a
                # warning at startup.
                #
                #tls(key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert"))
        );
};

destination d_local {
#       file("/var/log/messages");
        file("/var/log/messages-kv_${YEAR}-${MONTH}-${DAY}.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
        file("/var/log/messages_${HOST}.log"
        perm(0644)
        );
};

destination d_logstore {
        file(
           "/var/log/remote/${HOST}/${HOST}_${YEAR}-${MONTH}-${DAY}.log"
        create-dirs(yes)
    );
};

log {
        source(s_local);
        source(s_network);
        destination(d_local);
        destination(d_logstore);
#       destination(d_sorted);
};




best regards,
Nepryahin Ivan
IT Department
Phone: +7 812 327 32 33
Mobile: +7 911 291 81 68


________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of SZIGETVÁRI János <jszigetvari at gmail.com>
Sent: Thursday, March 25, 2021 6:24:09 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] syslog-ng has add extra field

Hello Ivan,

Most commonly there may be two main formats of logs that you may encounter.
One is the traditional BSD-style syslog, described in RFC 3164: https://tools.ietf.org/html/rfc3164
The other is the IETF-style log format, described in RFC 5424: https://tools.ietf.org/html/rfc5424

In case of syslog-ng you would have to either use
network(transport(tcp|udp))
or
syslog() or network(transport(tcp|udp) flags(syslog-protocol))
respectively.

The sample logs you included seem to resemble the IETF-style.
What type of source do you have configured in your syslog-ng setup? (Could you please share your config file?)

Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>

LinkedIn: linkedin.com/in/janosszigetvari<http://linkedin.com/in/janosszigetvari>
E-mail: janos at szigetvari.com<mailto:janos at szigetvari.com>, jszigetvari at gmail.com<mailto:jszigetvari at gmail.com>
Web: janos.szigetvari.com<https://janos.szigetvari.com>

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp


Ivan Nepryahin - Bercut <Ivan.Nepryahin at bercut.com<mailto:Ivan.Nepryahin at bercut.com>> ezt írta (időpont: 2021. márc. 25., Cs, 14:56):

Hi all!



I think I have a stupid question, but I really dont know how this make.

Situation:
When I send syslog message with timestamp in  format "1Mar 25 2021 16:35:49" everything works great, but when  I send  message with timestamp in format "1Mar 25 2021 16:35:49+03:00", syslog-ng adding two extra fields with timestamp and IP address and due that break down  file naming.

Question:
How can I say to syslog-ng server do not  add extra fields when he  get message with +03:00  in timestamp?

message without +03:00
Mar 25 13:11:57 HUAWEI-CORE-OFFICE-1   <bla bla bal>

mesage with  +03:00
Mar 25 13:46:45 192.168.100.34 Mar 25 2021 16:46:45+03:00 HUAWEI-CORE-OFFICE-1  <bla bla bla>



I will be appreciate for any advice!



P.s sorry for bad english it is not my native language



best regards,
Nepryahin Ivan
IT Department
Phone: +7 812 327 32 33
Mobile: +7 911 291 81 68


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210325/6032b618/attachment-0001.html>

More information about the syslog-ng mailing list