I'm setting up a syslog-ng (version 3.24.1), and I need it to handle the logs created by dibbler. The ideia is to parse them and send them to a remote syslog server, where they can be filered.
This is for a embeded system running linux. I can't use python or the python parser
This is my configuration:
@version: 3.24
options { chain_hostnames(off); flush_lines(0); use_dns(no); dns-cache(no); use_fqdn(no);
owner(root); create-dirs(yes); perm(0640); stats_freq(0);
keep-timestamp(yes);threaded(yes); };
source s_dibbler {
channel {
source {
wildcard-file(
base-dir("/var/log/dibbler/")
filename-pattern("*.log")
flags(no-parse)
default-facility(daemon)
);
};
parser {
csv-parser(
columns("dibbler.date", "dibbler.time", "PROGRAM", "PRIORITY", "MESSAGE")
delimiters(" ")
flags(greedy, strip-whitespace)
);
};
rewrite {
set("dibbler-${PROGRAM}", value("PROGRAM"));
};
parser {
date-parser (
format("%Y.%m.%d %H:%M:%S")
template("${dibbler.date} ${dibbler.time}")
flags(guess-timezone)
time-stamp(recvd)
);
};
};
};
destination remote_server { syslog("xxx.xxx.xxx.xxx" transport("udp") port(4514) ); };
log { source(s_dibbler); destination(remote_server); };
template t_test_file { template(" \"${LEVEL}\" \n${MESSAGE}\n"); };
destination d_test_file { file("/var/log/test" template(t_test_file) ); };
log { source(s_dibbler); destination(d_test_file); };
This is a typical dibbler message:
2023.12.03 20:51:39 Server Notice Parsing /etc/dibbler/server.conf config file...
2023.12.03 20:51:39 Server Error Unable to bind socket (iface=brlan0/35, addr=ff02::1:2, port=547).
2023.12.03 20:51:39 Server Error Low-level layer error message: Unable to bind socket: Address already in use
2023.12.03 20:51:39 Server Critical Proper socket creation failed.
2023.12.03 20:51:39 Server Critical Fatal error during TransMgr initialization.
Using the config I posted and with the example dibbler log I'm receiving:
Dec 3 20:51:39 <host> - NOTICE dibbler-Server[-] - Parsing /etc/dibbler/server.conf config file...
Dec 3 20:51:39 <host> - NOTICE dibbler-Server[-] - Unable to bind socket (iface=brlan0/35, addr=ff02::1:2, port=547).
Dec 3 20:51:39 <host> - NOTICE dibbler-Server[-] - Low-level layer error message: Unable to bind socket: Address already in use
Dec 3 20:51:39 <host> - NOTICE dibbler-Server[-] - Proper socket creation failed.
Dec 3 20:51:39 <host> - NOTICE dibbler-Server[-] - Fatal error during TransMgr initialization.
On the "/var/log/test" (a temporary test output)
"notice"
Parsing /etc/dibbler/server.conf config file...
"notice"
Unable to bind socket (iface=brlan0/35, addr=ff02::1:2, port=547).
"notice"
Low-level layer error message: Unable to bind socket: Address already in use
"notice"
Proper socket creation failed.
"notice"
Fatal error during TransMgr initialization.
The LEVEL/PRIORITY (tried both) is not being set (The manual says that Hard-macros can't be set, but the config is valid, and I'm missing the point of the syslog-ng, if a user can write custom parsers, but can't change important variables (like this).
I'm also preaty sure that the log timestamp is wrong. But right now that is a minor thing.
PS. The server is running rsyslog, with the following template:
template(name="FileFormat" type="list") {
property(name="timereported" dateFormat="rfc3164" position.from="1" position.to="23")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="structured-data") #position.from="33" position.to="-1")
constant(value=" ")
#property(name="syslogfacility-text")
#constant(value=" ")
property(name="syslogseverity-text" caseConversion="upper")
constant(value=" ")
property(name="app-name")
constant(value="[")
property(name="procid")
constant(value="] ")
property(name="msgid")
constant(value=" ")
property(name="msg")
constant(value=" ")
constant(value="\n")
}