[syslog-ng] Syslog server chaining issue

Thu Dec 12 06:35:45 UTC 2024

Thanks for the response. 

The format mentioned in the admin guide for 1st syslog server is resulting in failure of syslog-ng service, hence I modified it to make sure the syslog-ng service starts. 
On the 1st syslog server, I added the syslog destination as -

destination d_ewmm {
    syslog("secondary_IP");
};

On 2nd syslog server, default-network-drivers(); option is not working. Hence, I am trying to capture the syslog messages like - 

source src {
        network(transport(udp) ip(secondary_IP) port(514));

};

But the issue still persists, no change in the message format. 

Regards,
Shivani Maurya

-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien Wernli
Sent: Wednesday, December 11, 2024 8:10 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Syslog server chaining issue

Hi,

On 2024-12-11 12:47:29, Maurya, Shivani wrote:
> Hi All,
> 
> I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server.
> 
> Device --> Syslog Server 1 --> Syslog Server 2

I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng.

https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages
https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README
https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq