Selectively forwarding logs using syslog-ng based on source hostnames

This was one of those “we need to tick a checkbox now!” operations. Yes, those. Maybe someone finds it useful. syslog-ng is en excellent tool, but the “kamikaze” syntax just kills me sometimes. That’s of course subjective statement. Nevertheless, here is a way to you get a syslog server to forward logs from specific source hosts to another log destination.

Solarwinds event log forwarder was installed on a bunch of windows servers and configured to forward security events to syslog.example.com - 10.10.10.10, which in turn needs to forward those events onto the final destination - 10.250.250.250. These are relevant parts of syslog-ng.conf:

source s_udp_net { udp(ip(10.10.10.10) port(514)); };

template t_add_IP { template("${DATE} ${HOST} ${SOURCEIP} ${MSGHDR}${MESSAGE}\n"); };
filter f_winsec {
    host("dc-1.example.com") or
    host("dc-2.example.com") or
    host("jh-1.example.com") or
    host("jh-2.example.com") or
    host("jh-3.example.com")
};

destination d_winsec { file ("/var/opt/syslog/winsec.log" perm(0644) template(t_add_IP)); };
log { source (s_udp_net); filter (f_winsec); destination (d_winsec); };
log { source (s_udp_net); filter (f_winsec); destination (d_fort); };
destination d_fort { udp("10.250.250.250" port(514) template(t_add_IP)); };

So what’s going on here? We define source, i.e. messages arriving on syslog.example.com on interface 10.10.10.10. The t_ad_IP template defines how the messages will be received by the final host - 10.250.250.250. Filter f_winsec defines hostnames that will have their logs forwarded to the final destionation - 10.250.250.250. The events in question are saved locally on syslog.example.com and also forwarded on destination d_fort as UDP packets, to port 514 using template t_add_IP.