I have a requirement to use a custom syslog port and can't find any way of doing this using the Event Notification command set?
It is an option with the "cluster log-forward" command set but my understanding is that this is for audit log forwarding, not EMS, so isn't what I'm after (although I'm happy to be wrong)?
I did find this RFE bug from a couple of years ago but doesn't give any recent info (last updated Dec 2019) on whether this is still open and progressing:
The solution in this post references a possible internal "hack", so thought I'd chuck this out to see if anyone has that relevant info/workaround to hand? Or if not, an alternative method to achieve what I need?
Have you at least tried cluster log-forwarding command?
KBs said: "Creating a syslog forwarding destination with TCP or UDP and custom port". It use the above command.
I saw that the example in the docs states audit log, but there's no other information mentioning it (audit) or anything else.
Regarding the event notification command, did you try to create a destination specifying the port?(event notification destination create -name XYZ -syslog 10.0.0.1:1234)
Yes, it's been tested and cluster log-fowarding only forwards audit logs, not EMS.
"Creating a syslog forwarding destination with TCP or UDP and custom port" - I'm guessing this is just referring to the mechanism/standard being used.
I did try appending the port number (with event notification cmd) and it doesn't like it (& yes, this is a previously tested and working config using default port 514):
"Error: command failed: The value for the field "syslog" is invalid: Unknown host x.x.x.x:5140"
I'd create a case and ask for an update on the RFE bug. You can also go through the account team to help push if this is a major requirement of your business.
You can try these commands, but it's not guaranteed. I found them internally:
event notification destination create -name <name> -syslog host.company.com
event notification create -filter-name no-info-debug-events -destinations <name
cluster log-forwarding create -destination host.company.com -port 5148 -facility local1
I have logged a case and the response on the RFE status is that it's open but doesn't look like it's going to be implemented.
Do you know what the different syslog facilities are for?
kern user local0 local1 local2 local3 local4 local5 local6 local7
Cluster syslog forwarding: what does each facility represent?