[syslog-ng] Properly Setting Facility and Severity into destination

[Greg Christopher]

Hi All,
   Did my best (about a week effort) to find this information online and apologize if it's obvious.

   I am trying to use syslog-ng as a client to send messages to a syslog compliant server with the proper severity and facility set.  I am starting with plain-text log files.

   The syslog rfc as well as the syslog-ng documentation are pretty clear about the syslog message format itself.
   There are even syslog-ng functions to substitute severity and facility using a function called "rewrite". But this doesn't seem to work if you are starting with a regular application log. In other words, there is nothing to "rewrite" since this header was never there to begin with.
   Although I initially configured my application log with flags(no-parse) , I attempted to remove it so that my rewrite attempt would at least have a facility and severity to "rewrite", but this also seems to have failed.
   Next I attempted prepending "<81>" (8*10 + 1) to the application messages to get the right priority field but this failed to change what the syslog-ng server on the other end received, as I have modified its output to include severity and facility:---
destination d_local {
        file("/var/log/syslog-ng/$HOST" template("Fac: $FACILITY Pri: $PRIORITY $ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};
---
   It does seem to be working properly but the above two approaches to increasing the severity and noting this is a security facility message failed.

So it seems this use case where we create syslog entries from scratch sort of throws a curve ball at syslog-ng clients, at least from what I can figure.

Any help on how I can set these manually into the destination would be greatly appreciated.

Here is my syslog-ng.conf at the moment; note I pull log file name out of environment variable:---
@version: 4.1

# Configure the source to read from the messages log file
# no-parse means whole line becomes "message" portion.
# Template should indicate security alert to syslog daemon
source s_APP_LOG {
    file(`APP_LOG`);
#    file(`APP_LOG` flags(no-parse));

};

rewrite set_pri_fields {
        set-severity("alert");
        set-facility("security");
};


destination d_destination {
    syslog(`syslogServer`);
};



# Configure the log statement to route messages from the application log file to
# the syslog server specified on the command line

log {
    source(s_APP_LOG);
    rewrite(set_pri_fields);
    destination(d_destination);
};
---Greg




 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230729/25a4911f/attachment.htm>