Selectively forwarding logs using syslog-ng based on source hostnames

This was one of those “we need to tick a checkbox now!” operations. Yes, those. Maybe someone finds it useful. syslog-ng is en excellent tool, but the “kamikaze” syntax just kills me sometimes. That’s of course subjective statement. Nevertheless, here is a way to you get a syslog server to forward logs from specific source hosts to another log destination.

Solarwinds event log forwarder was installed on a bunch of windows servers and configured to forward security events to -, which in turn needs to forward those events onto the final destination - These are relevant parts of syslog-ng.conf:

source s_udp_net { udp(ip( port(514)); };

template t_add_IP { template("${DATE} ${HOST} ${SOURCEIP} ${MSGHDR}${MESSAGE}\n"); };
filter f_winsec {
    host("") or
    host("") or
    host("") or
    host("") or

destination d_winsec { file ("/var/opt/syslog/winsec.log" perm(0644) template(t_add_IP)); };
log { source (s_udp_net); filter (f_winsec); destination (d_winsec); };
log { source (s_udp_net); filter (f_winsec); destination (d_fort); };
destination d_fort { udp("" port(514) template(t_add_IP)); };

So what’s going on here? We define source, i.e. messages arriving on on interface The t_ad_IP template defines how the messages will be received by the final host - Filter f_winsec defines hostnames that will have their logs forwarded to the final destionation - The events in question are saved locally on and also forwarded on destination d_fort as UDP packets, to port 514 using template t_add_IP.