[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-ng
Subject:    Re: [syslog-ng] Syslog-ng + graylog2 destination
From:       Fabien Wernli <wernli () in2p3 ! fr>
Date:       2019-10-14 14:00:28
Message-ID: 20191014140028.GI6202 () ccfawe ! in2p3 ! fr
[Download RAW message or body]

On Mon, Oct 14, 2019 at 03:50:42PM +0200, László Pál wrote:
> Thank you. It seems this workaround has improved the situation a bit, however I \
> still can see the reset logs from Graylog, so some other things must be wrong. The \
> problem is I have no idea how to figure out which of my message sources are sending \
> in-proper messages. These are mostly routers, but some of the firwalls (ASA) also \
> sends logs to central syslog. 
> It seems GELF is very sensitive, so maybe in this case is better if I simply use \
> syslog or json towards Graylog

It's already what happens behind the scenes, as graylog2() is just an SCL wrapper of \
network(). You could experiment other templates by overriding the default. Here's an \
example that sets default values for all macros (in case they're absent):

     destination d_graylog_gelf {
       graylog2(
         log_fifo_size(500000)
         host("10.72.0.137")
         transport (tcp)
         template("$(format-json version='1.1' host='${HOST:-none}' \
short_message='${MSG:-none}' level=int(${LEVEL_NUM:-0}) \
timestamp=int64(${R_UNIXTIME:-0}) _program='${PROGRAM:-none}' _pid=int(${PID:-0}) \
_facility='${FACILITY:-none}' _class='${.classifier.class:-none}' --key .* --key \
_*)$(binary 0x00)")  );
     };

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


[prev in list] [next in list] [prev in thread] [next in thread]