Syslog-ng: how to change a message before sending to a remote host

syslog syslog-ng

7,885

Here is how redirection is now organized:

Remote machine:

source src {
    #
    # include internal syslog-ng messages
    # note: the internal() soure is required!
    #
    internal();

    #
    # the default log socket for local logging:
    #
    unix-dgram("/dev/log");

    #
    # uncomment to process log messages from network:
    #
    udp(ip("0.0.0.0") port(514));
    tcp(ip("0.0.0.0") port(1470)); };
Local machine:

source src {
    #
    # include internal syslog-ng messages
    # note: the internal() soure is required!
    #
    internal();

    #
    # the following line will be replaced by the
    # socket list generated by SuSEconfig using
    # variables from /etc/sysconfig/syslog:
    #
    #unix-dgram("/dev/log");
    unix-stream("/dev/log");

    #
    # uncomment to process log messages from network:
    #
    #udp(ip("0.0.0.0") port(514));

};

destination editredirect { tcp("10.30.38.115" port(1470) template("<$PRI> $DATE $HOST $MSG MyMark\n")); };
log { source(src); destination(editredirect); };

7,885

Author by

Pardeep Kumar

Updated on September 18, 2022

Comments

Pardeep Kumar over 1 year

I'm using syslog-ng 1.6.8 on SLES 10. From this machine, I need to forward all events to the remote host 10.30.38.115. But preliminary I have to change messages a little bit, adding "MyMark" prefix to the end of the event. I tried the following:

source src {
       internal();
       unix-dgram("/dev/log");
};


destination editredirect { udp("10.30.38.115" port(514) template("<$PRI> $DATE $HOST $MSG MyMark\n") ); };

log { source(src); destination(editredirect); };

But it doesn't work. On the remote host, I don't receive these messages at all. Truth be told, I don't receive them even if I remove the template. The remote host is configured to accept incoming messages and it really does.

So, my question is how to tune syslog-ng.conf so that I could change messages before sending them to the remote host.

Update: solved

Here is how redirection is now organized:

Remote machine:

source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the default log socket for local logging:
        #
        unix-dgram("/dev/log");

        #
        # uncomment to process log messages from network:
        #
        udp(ip("0.0.0.0") port(514));
        tcp(ip("0.0.0.0") port(1470)); };

Local machine:

source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        #unix-dgram("/dev/log");
        unix-stream("/dev/log");

        #
        # uncomment to process log messages from network:
        #
        #udp(ip("0.0.0.0") port(514));
};


destination editredirect { tcp("10.30.38.115" port(1470) template("<$PRI> $DATE $HOST $MSG MyMark\n")); };
log { source(src); destination(editredirect); };

m0ntassar about 12 years

unix-dgram is used for BSD's, use unix-stream instead Also, check this out : oreilly.com/pub/h/1366 it may contain answers for you.
Pardeep Kumar about 12 years

m0ntassar, thanks. Actially, id didn't help. I still have the same error on the local machine: Connection broken to AF_INET(10.30.38.115:514), reopening in 60 seconds
Khaled about 12 years

@user54614: Instead of updating your question, you can answer your question and accept it.