responses
I'm currently using nxlog to filter and forward syslog: Source => Filter Logs on intermediate server with nxlog installed => forward udp 514 (syslog).
Config looks like the following:
<Extension _syslog>
Module xm_syslog
</Extension>
#syslog to Nxlog01
<Input _sys_in>
Module im_udp
Port 514
<Exec>
if (($Message =~ /REGEX/)
or ($Message =~ /REGEX/))
drop();
</Exec>
Exec if $MessageSourceAddress != "1.1.1.1" drop();
</Input>
<Processor _sys_norepeat>
Module pm_norepeat
CheckFields Hostname, Message, SourceName
</Processor>
#Syslog Output to DST server
<Output _sys_out>
Module om_udp
Host dstserver_ip
Port 514
Exec to_syslog_bsd();
</Output>
<Route Logs>
Path _sys_in => _sys_norepeat => _sys_out
</Route>
Firstly is this possible with the CE agent?
I already performed a tcpdump on the intermediate server where nxlog is installed and i can see the syslog being received but not sent after filtered. There is udp 514 connectivity between nxlog server and destination server.
I tried:
Removing all regex filtering (since i thought my regex wasn't good enough), no results.
Changed im_udp to im_tcp (i thought maybe you can't used the same port in both input and output modules).
Checked whether there actually is network connectivity between nxlog server and destination server using nc by sending a udp 514 packet to dst server.
Can anyone help with this?
Comments (1)
thanks for the heads up, you put me on the right track.
with parse_syslog(); wasn't working either so i specified the syslog format by using parse_syslog_bsd();
and it finally worked !!