Search code examples
syslog-ng

Configure syslog-ng server to truncate messages relayed to only 1 destination out of multiple destinations

My existing syslog-ng PE 5 (yes, old) server uses multiple log statements to both write all logs locally, and also to relay some messages to external log scanning services in our enterprise.

The operator of one of these external relay destinations has requested we truncate each log message relayed to them down to a specific maximum length.

I don't want to reduce the global value for message length. I only want to limit the size sent to this one destination.

I assume this will be a switch or flag in a log statement. I've looked at the docs for rewriting rules and see nothing obvious.

How have you solved this issue?

Solution

  • while it's not as simple as setting a flag, I can think of 3-4 possible solutions. Not all of them work with PE 5 though.

    If you are willing to upgrade:

    1. Newer syslog-ng versions (PE 7 / OSE 3.1x) have the substr() template function that does exactly what you need, so you could use it in the template of the destination that sends the logs to the scanner.
    2. If you install a recent syslog-ng version (PE 7.12+ / OSE 3.15+) and you need more elaborate processing, you can write a custom template function in Python to slice and dice the messages.

    If you want to stick to old versions:

    1. Since you are already writing the log messages into a file, you can create a new file source in syslog-ng, read back the messages from the file, and set the log-msg-size() option of that source to the limit where you want to truncate the messages (IIRC, syslog-ng will truncate the message and discard the excess, but you have to test that it doesn't create a second message from the truncated part). The problem with this solution is IIRC that the file source in PE 5 cannot follow multiple files, so if you use date macros or similar in the file/directory names, that's a problem. PE 6+ and newer OSE versions can use wildcards in the file sources.
    2. If all else fails, you can try to use the program destination to write a script that handles the messages somehow.

    Personally, I'd recommend some kind of upgrade (PE 5 is ancient and EOL). If you cannot upgrade to a recent PE version, the easiest solution might be to install an OSE relay, so your PE 5 server send the logs to OSE, which can use the substr() template function to truncate the messages and send them over to your log scanner.

    HTH, Robert