[syslog-ng] Syslog-ng and OSQUERY

Dwijadas Dey dwijad at gmail.com
Mon Apr 17 14:32:11 UTC 2017 

Hi
   Robert
             You are right, i am trying  the same with a named pipe so that
OSQUERY consume syslogs as pointed by Evan. There are plenty of documents
showing the same with rsyslog but not with syslog-ng.

This is what my syslog configuration for osquery:-

/etc/syslog-ng/conf.d/osquery.conf

source s_osquery {
       # system();
        pipe("/var/osquery/syslog_pipe");
       # unix-stream("/dev/log");
};
#filter osqueryd {
       # program("^osqueryd.*");
#};
destination d_osquery {
        file("/var/log/osquery/osqueryd.results.log"
template("$(format-json --scope selected_macros --scope nv_pairs)\n"));
};
log {
      source(s_osquery);
     # filter(osqueryd);
      destination(d_osquery);
};

But this does not produce any logs for OSQUERY. I have checked , the name
piped has been created.

# ls -l /var/osquery/syslog_pipe
pr--rw---- 1 root adm 0 Apr 14 15:41 /var/osquery/syslog_pipe

But when i try to check what logs are passing through the pipe using
following command, no message shows up.
# cat /var/osquery/syslog_pipe

I have correct options set in OSQUERY configuration file in
/etc/osquery/osquery.conf.

..................
..................
 "logger_plugin": "syslog",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
..................
..................
I think Evan can point me the right configuration for syslog-ng ( version
3.5.6 in ubuntu 16 )

Regards



On Mon, Apr 17, 2017 at 6:24 PM, Fekete, RĂ³bert <robert.fekete at balabit.com>
wrote:

> Hi,
>
> It seems that by default, osquery logs JSON messages into a file.  (
> https://osquery.readthedocs.io/en/latest/deployment/logging/ )
> You can use this file in a syslog-ng source, and parse the JSON messages
> with the json parser (note that you need a recent syslog-ng OSE for this),
> see https://www.balabit.com/documents/syslog-ng-ose-
> latest-guides/en/syslog-ng-ose-guide-admin/html/json-parser.html .
>
>
> The above Osquery page mentions that it can send log messages directly to
> syslog (instead of a file), but I  haven't found how you can actually
> configure it.
>
> Regards,
>
> Robert
>
> On Fri, Apr 14, 2017 at 9:46 PM, Dwijadas Dey <dwijad at gmail.com> wrote:
>
>> Hi
>>     List users
>>                    Is it possible to send OSQUERY logs to syslog-ng 3.5
>> In the OSQUERY docs
>> <https://osquery.readthedocs.io/en/latest/deployment/syslog/>  rsyslog
>> is configured to write logs to syslog. Does the same method applies to
>> syslog-ng 3.5 ?
>>
>> Thanks and regards
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170417/0299d6de/attachment.html>

More information about the syslog-ng mailing list