[syslog-ng] Syslog server chaining issue

Balazs Scheidler bazsi77 at gmail.com
Thu Dec 12 08:02:27 UTC 2024 

If you supply the template() option on the first server, that change the
format the protocol expects. So you need to use the standard template and
then reformat it to your needs on the 2nd, by using template there.

The reason the $program captured the severity value as you were using
$SEVERITY in the position where the normal syslog format expects the
program name.

The syslog-ng() driver Fabien mentioned requires you to include scl.conf
which is the syslog-ng configuration library.

On Thu, Dec 12, 2024, 07:43 Maurya, Shivani <shivani.maurya at intel.com>
wrote:

> Thanks for the response.
>
> The format mentioned in the admin guide for 1st syslog server is resulting
> in failure of syslog-ng service, hence I modified it to make sure the
> syslog-ng service starts.
> On the 1st syslog server, I added the syslog destination as -
>
> destination d_ewmm {
>     syslog("secondary_IP");
> };
>
> On 2nd syslog server, default-network-drivers(); option is not working.
> Hence, I am trying to capture the syslog messages like -
>
> source src {
>         network(transport(udp) ip(secondary_IP) port(514));
>
> };
>
> But the issue still persists, no change in the message format.
>
> Regards,
> Shivani Maurya
>
> -----Original Message-----
> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien
> Wernli
> Sent: Wednesday, December 11, 2024 8:10 PM
> To: Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Syslog server chaining issue
>
> Hi,
>
> On 2024-12-11 12:47:29, Maurya, Shivani wrote:
> > Hi All,
> >
> > I am using 2 syslog servers on version 3.31. The devices are sending
> syslog message to 1st syslog server. The 1st syslog server is forwarding
> the same message to 2nd syslog server.
> >
> > Device --> Syslog Server 1 --> Syslog Server 2
>
> I would suggest that you use the syslog-ng() destination so you don't have
> to worry about your udp template being reinterpreted poorly by the second
> syslog-ng.
>
>
> https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages
>
> https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README
>
> https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20241212/1ac5b559/attachment.htm>

More information about the syslog-ng mailing list