0

This one is driving me a bit crazy. How do I route a message from nxlog received by syslog-ng based on the program name? It should be self explanatory but it isn't working correctly. The messages are dropped into my general log file for syslog-ng without the filtering applied.

I'm sending IIS logs like this with nxlog:

<Input W3SVC>
    Module im_file
    ...
    Exec $SourceName = 'IIS';
    ...
</Input>
<Route W3SVC>
    Path W3SVC => IIS_Syslog
</Route>
<Output IIS_Syslog>
   Module om_udp
   Host xxx
   Port xxx
   Exec to_syslog_ietf();
</Output>

Which sends to a syslog-ng server which should catch with the following filter. 

filter f_iis {
    source ('IIS'); 
};

or alternatively I've tried the following. 

filter f_iis {
    program ('IIS'); 
};
Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
  • Hi, can you post how a message that syslog-ng receives looks like? Also, how do you transfer the message from nxlog to syslog-ng? RFC3164 or 5428? – Robert Fekete Jan 31 '17 at 07:58

1 Answers1

1

If you are shipping it as plain syslog (i.e. using to_syslog_bsd() in nxlog.conf) then the value of $SourceName (=IIS) will be in the message in the part what RFC3164 calls TAG:

The value in the TAG field will be the name of the program or
process that generated the message.

Syslog-ng calls this program, so I believe the second one should do what you need:

 filter f_iis {
     program ('IIS'); 
 };
b0ti
  • 986
  • 1
  • 6
  • 13
  • Thanks b0ti. I just came to the same realization. I was using the to_syslog_ietf() option and was always getting a '1' for the program name value. – Tim Brigham Jan 30 '17 at 20:31