Set a Macro before sending log over network with syslog-ng

Question

I have created a syslog server and client. I want to set client serial number in SOURCE macro in all logs being sent to server so that on server side I can retrieve the macro and can create the log file based on client serial number. Following is my rewrite rule:

rewrite set_host{
    set("DEVICE_SERIAL_NO", value("SOURCE"));

};

log { source(s_src); rewrite(set_host); destination(d_net); };

On server side I have written following configuration for log file:

destination d_host-specific {
    file("/var/log/testlogs/$SOURCE/$YEAR/$MONTH/$HOST-$YEAR-$MONTH-$DAY.log");

};

But on server side I get value of $SOURCE as s_net. Seems like SOURCE macro is over-written on server side. How to sustain a macro from client to server and use it on server side?

MrAnno · Accepted Answer · 2019-11-21T07:21:03.000

1

$SOURCE is a local value, it is not forwarded to the server by default. Every destination has an on-wire format, for example, the network() source/destination uses the BSD (RFC 3164) or IETF (RFC 5424) syslog protocol. The default template of these protocols contains $PROGRAM, $MSG, $HOST, $ISODATE, etc., but $SOURCE is not a standard field.

You have multiple options:

You can specify a destination template() manually and then parse the message on the server side. This can be done, for example, in JSON format ($(format-json) and json-parser()).
You can use the structured-data section of a RFC 5424 syslog message:

# client

rewrite set_host {
  set("DEVICE_SERIAL_NO", value(".SDATA.example@32473.SOURCE"));
};

destination d_net {
  syslog("server.address");
};

# server

source s_net {
  syslog();
};

destination d_host_specific {
  file("/var/log/testlogs/${.SDATA.example@32473.SOURCE}/$YEAR/$MONTH/$HOST-$YEAR-$MONTH-$DAY.log");
};

The syslog() and the network(flags(syslog-protocol)) destinations forward messages using the IETF syslog protocol. All subkeys under .SDATA will be serialized automatically into the forwarded message.

syslog-ng >= v3.17 has a dedicated source/destination plugin that transfers messages "in whole" between syslog-ng instances (containing all name-value pairs) in a special format. Both the source and destination objects are called ewmm() (enterprise wide message model).
As an alternative, you can use $HOST with (keep-hostname(yes) on the server side), which is part of the message header.

edited Nov 21 '19 at 07:21

answered Nov 15 '19 at 23:54

MrAnno

210
1
7

I tried setting HOST parameter too. It gets changed when I receive the message on server. – Darshan Prajapati Nov 18 '19 at 17:29
Also, the solution provided above didn't work. I am using syslog-ng 3.13. – Darshan Prajapati Nov 18 '19 at 17:53
If you want to keep the original hostname, set `keep-hostname(yes)` in the server config. – MrAnno Nov 18 '19 at 20:53
What do you mean by "didn't work"? – MrAnno Nov 18 '19 at 20:55
By "didn't work" I mean that on server side I get .SDATA.example@32473.SOURCE as empty. – Darshan Prajapati Nov 18 '19 at 22:30
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/101206/discussion-between-mranno-and-darshan-prajapati). – MrAnno Nov 18 '19 at 22:56
Having keep-hostname(yes) on server side and setting HOST on client side it worked. @MrAnno just change the answer with this and I will mark it as accepted answer. – Darshan Prajapati Nov 20 '19 at 22:32

Set a Macro before sending log over network with syslog-ng

1 Answers1