[Newbie] How to have Syslog-NG Forward the logs it received to another Log Server

What I have: 

1. Syslog-NG on Centos 7.9

syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Dec 30 2015 19:57:24
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

2. Syslog Watcher as my Remote Log Server

3. Configuration:

source from_switch {

   network (

      ip(0.0.0.0)

      port(1515)

      transport("udp")

      flags(no-parse)

      );

};

 

destination collector {

   network (

      "192.168.168.151"

      port(1515)

      transport("udp")

      ip-protocol(4)

      template("${MESSAGE}")

      );

};

 

log {

   source(from_switch);

   destination(collector);

};

My Reference: https://www.oneidentity.com/community/syslog-ng-premium-edition/f/forum/30806/forward-the-original-raw-message-to-a-siem-system/74896#74896

Issue/Concern:
i can confim syslog-ng received the logs from the switch but the issue is that in the forwarding of data going to my Remote Log Server.

Goal: I want to have the logs received in my Syslog-NG server not only be written in a file within the Syslog-NG server (this is the default) but also be sent to a Remote Log Server at the same time in syslog (this is what i want in parallel).

Parents
  • Good morning,

    So a couple of things you will want to change. Since you are using the network() driver in the source, you will want to add the flags(store-raw-message) option to the source and the template("${RAWMSG}\n") in the destination to send the raw message that was accepted.

    Additionally, you will want to add a second local destination to the configuration, ensuring it is listed in the statements within the log{} at the end of the configuration.

    Below you can find an example of how you may want to re-write your configuration file. Please note, you will need a license for Syslog-ng PE in order to store logs locally. When running without a license, only internal (local) and system logs can be written to the local disk.

    source from_switch {
    	network(
    		port(1515)
    		transport("udp")
    		flags(no-parse, store-raw-message)
    	);
    };
    
    destination collector {
    	network(
    		"192.168.168.151"
    		port(1515)
    		transport("udp")
    		ip-protocol(4)
    		template("${RAWMSG}\n")
    	);
    };
    
    destination local {
    	file(
    		"/path/to/location/local.logs"
    		create-dirs(yes)
    	);
    };
    
    log {
    	source(from_switch);
    	destination(local);
    	destination(collector);
    };

    If you have any other questions whatsoever please do not hesitate to reply as we would be more than happy to assist further!

    Best Regards,
    Justin VanAusdall

Reply
  • Good morning,

    So a couple of things you will want to change. Since you are using the network() driver in the source, you will want to add the flags(store-raw-message) option to the source and the template("${RAWMSG}\n") in the destination to send the raw message that was accepted.

    Additionally, you will want to add a second local destination to the configuration, ensuring it is listed in the statements within the log{} at the end of the configuration.

    Below you can find an example of how you may want to re-write your configuration file. Please note, you will need a license for Syslog-ng PE in order to store logs locally. When running without a license, only internal (local) and system logs can be written to the local disk.

    source from_switch {
    	network(
    		port(1515)
    		transport("udp")
    		flags(no-parse, store-raw-message)
    	);
    };
    
    destination collector {
    	network(
    		"192.168.168.151"
    		port(1515)
    		transport("udp")
    		ip-protocol(4)
    		template("${RAWMSG}\n")
    	);
    };
    
    destination local {
    	file(
    		"/path/to/location/local.logs"
    		create-dirs(yes)
    	);
    };
    
    log {
    	source(from_switch);
    	destination(local);
    	destination(collector);
    };

    If you have any other questions whatsoever please do not hesitate to reply as we would be more than happy to assist further!

    Best Regards,
    Justin VanAusdall

Children
No Data