Pot Of Syslog-NG Tricks Version 2

Correcting bad or duplicate time and date stamps

Trying to accept logs from applications or devices into syslog-ng, but end up seeing two date and time fields in the resulting log coming out of syslog-ng?  This happens because syslog-ng is not able to understand the format that the date and time stamp arrive in.  Here’s an easy way to fix that problem.  Use a template to only use the “message” part of the incoming log:

source s_net { udp(); };
destination d_file{ file(“/var/log/application.log” template(“$MSG\n”)); };
log { source(s_net); destination(d_file); };

Including the facility & priority of a message syslog-ng output

To add the written form of the facility and priority to logs coming out of syslog-ng, such as “local1:info”, use the following template.

destination d_file {
file(“/var/log/messages”
template(“$FACILITY:$PRIORITY $MSG\n”; template_escape(no))); };

Alternatively, to add the numeric severity, use this:

destination d_file {
file(“/var/log/messages”
template(“$PRI $MSG\n”; template_escape(no))); };

$FACILITY and $PRIORITY produce the written name of the facility and priority, respectively.  The PRI macro produces the derived number that represents both the facility and priority.  To get the numeric value of the facility and priority, use the $FACILITY_NUM and $LEVEL_NUM macros.

Configuring syslog-ng as a relay

Syslog-ng is pretty straight forward to configure as a relay.

source s_net { udp(); };
destination d_net{ udp(“192.168.0.1″ port(514)); };
log { source(s_net); destination(d_net); };