4 Replies Latest reply on Sep 15, 2010 1:33 PM by runcmd

    IronMail and Syslog / Rsyslog


      Has anyone implemented Syslog from their IronMail appliance to Rsyslog over TCP?  We receive several Syslog feeds to the same Linux box and are looking for a way to easily identify something in the logs that can be used in the content-based filtering that Rsyslog provides in order to separate the IM log from other feeds.  I'm just looking for ideas from anyone else that has implemented this.  Thanks!

        • 1. Re: IronMail and Syslog / Rsyslog

          Hi RunCMD,


          Some days ago I've enabled Syslog but trought UDP. If you want to receive TCP syslog connection on your server, you need to enable TCP connection in your syslog.conf file.


          Why did you want to use TCP connections ?


          To alert on specific message, I'm using syslog-ng with specific destination for matching message. But I'm currently testing 8pussy.org Syslog frontend...

          • 2. Re: IronMail and Syslog / Rsyslog

            Hi psi,

            Thanks for the response.  When you enable Syslog, you lose the ability to maintain the Summary Log on the appliance.  Because UDP is considered an unreliable protocol, we'd prefer to use TCP.  The problem is not receiving the logs--we are able to get them to Rsyslog.  The problem is that, because we are receiving syslogs from multiple hosts, we are trying to use Rsyslog to separate IronMail's from the others.  Our other feeds include the system name or a unique identifier in each log entry.

            • 3. Re: IronMail and Syslog / Rsyslog

              I'm not an rsyslog specialist, but with a quick look in the wiki doc I fund the default format :


              $template SyslFormat,"%timegenerated% [WJCG]-%HOSTNAME% %syslogtag%%msg:::space$

              Is your rsyslog server resolve the ip address of your appliances ? I now, maybe it's to much simple but some time.... we are not looking in good direction.
              1 of 1 people found this helpful
              • 4. Re: IronMail and Syslog / Rsyslog

                psi:  I just wanted to post a quick follow up to say thanks for the responses.  A coworker of mine has been working on this issue and my understanding is that he came up with a workaround by accepting the raw Syslog feeds and then using another utility to perform the data extraction or parse of the log (outside of Rsyslog).  I'm a little fuzzy on the details right now but if I am able to gather additional information on this, I'll post a follow up.  Thanks again!