<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>.EmailQuote {
        BORDER-LEFT: #800000 2px solid; PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt
}
</style><style title="owaParaStyle"><!--P {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi="x">
<div dir="ltr"><font color="#000000" size="2" face="Tahoma">Could the filtering be an issue with the v3.0.8 build and I should be looking at the v.3.1.x builds instead?</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div dir="ltr"><font size="2" face="tahoma">-- M</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div style="DIRECTION: ltr" id="divRpF406833">
<hr tabindex="-1">
<font color="#000000" size="2" face="Tahoma"><b>From:</b> syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall [mhall@mhcomputing.net]<br>
<b>Sent:</b> Monday, September 20, 2010 10:58 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
</font><br>
</div>
<div></div>
<font size="2">
<div class="PlainText"><br>
<br>
On Mon, Sep 20, 2010 at 10:25:29PM -0400, Worsham, Michael wrote:<br>
> It seems tshark won't decode-as under tcp format for syslog, only udp, <br>
> so I had to change my syslog-ng.conf on both the client and server <br>
> sides. Then I figured out the redirect to use the decode-as protocol <br>
> syslog:<br>
<br>
If that tshark problem happened in a recent version it might be worth <br>
reporting a bug. As people come to depend more and more on TCP Syslog <br>
due to reliability and TLS issues this will be an important feature.<br>
<br>
> tshark -V -d udp.port==514,syslog >> dumpfile.txt<br>
> <br>
> Ran the 'logger daemon' command from the syslog-ng client to use as a <br>
> marker.<br>
> <br>
> New dump file is available here: <br>
> <a href="http://www.murpe.com/syslog-ng.tshark-dump.txt" target="_blank">http://www.murpe.com/syslog-ng.tshark-dump.txt</a><br>
> <br>
> -- M<br>
<br>
The interesting part is here.<br>
<br>
Let's hope somebody can think this over tomorrow during Europe / East US <br>
time and help formulate a proper answer. To me the message appears to be <br>
proper RFC 3164 BSD syslog format which should work OK. <br>
<br>
<a href="http://www.ietf.org/rfc/rfc3164.txt" target="_blank">http://www.ietf.org/rfc/rfc3164.txt</a><br>
<br>
Syslog message: USER.NOTICE: Sep 20 22:19:30 drupal root: daemon\n<br>
0000 1... = Facility: USER - random user-level messages (1)<br>
.... .101 = Level: NOTICE - normal but significant condition (5)<br>
Message: Sep 20 22:19:30 drupal root: daemon\n<br>
<br>
Matthew.<br>
<br>
> ________________________________<br>
> From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Worsham, Michael<br>
> Sent: Monday, September 20, 2010 9:45 PM<br>
> To: Syslog-ng users' and developers' mailing list<br>
> Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
> <br>
> Alot of what yuou just said went even over my head, so I went ahead <br>
> and disabled TLS encryption for the stream.<br>
> <br>
> I enabled the syslog -d on both sides (server and client), then did a <br>
> redirect of the tshark -V to a flat file. Then from the client side <br>
> ran the 'logger daemon' command again to use as a marker to see that <br>
> the data dump was actually being recorded.<br>
> <br>
> Dump is available here: <a href="http://www.murpe.com/syslog-ng.tshark-dump.txt" target="_blank">
http://www.murpe.com/syslog-ng.tshark-dump.txt</a><br>
> <br>
> As for the port, I am using TCP/514 -- which we are required to use <br>
> going forward. We can't use upper 1024+ ports, even for this test.<br>
> ________________________________<br>
> From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall [mhall@mhcomputing.net]<br>
> Sent: Monday, September 20, 2010 9:15 PM<br>
> To: Syslog-ng users' and developers' mailing list<br>
> Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
> <br>
> Sorry to be a pain about it, but as stated in the original mail we'd do<br>
> better with tshark -V or we can't see the payload of the packets.<br>
> <br>
> You also need to figure out an option to make sure the syslogs are<br>
> decoded as syslogs so we get proper output, because right now they are<br>
> coming out as RSH packets. You probably want to use this as shown in the<br>
> manpage, to flag your custom Syslog ports as Syslog for them to decode.<br>
> <br>
> -d <layer type>==<selector>,<decode-as protocol><br>
> <br>
> Hopefully we can see what's going on and get to the bottom of this soon<br>
> for you.<br>
> <br>
> Matthew.<br>
> <br>
> On Mon, Sep 20, 2010 at 08:24:40PM -0400, Worsham, Michael wrote:<br>
> > TShark output between the two syslog-ng servers (syslogsvr<br>
> > [192.168.0.80], syslogclt [192.168.0.81]):<br>
> ><br>
> > <a href="http://www.murpe.com/syslog-ng-v3.tshark.txt" target="_blank">http://www.murpe.com/syslog-ng-v3.tshark.txt</a><br>
> ><br>
> > ________________________________<br>
> > From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Worsham, Michael<br>
> > Sent: Monday, September 20, 2010 8:06 PM<br>
> > To: Syslog-ng users' and developers' mailing list<br>
> > Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
> ><br>
> > Wireshark is going to be a bit impossible as these are servers without front-end displays and without X installed. Strictly console-related VM server instances.<br>
> ><br>
> > Here's a link to my configuration just in case anyone wants to take a gander:<br>
> ><br>
> > <a href="http://www.murpe.com/syslog-ng-v3.conf.txt" target="_blank">http://www.murpe.com/syslog-ng-v3.conf.txt</a><br>
> ><br>
> > We are using TLS encryption (a requirement) and a destination breakdown (another requirement). Other than that, we just need some simple filtering for keywords that appear hundreds to thousands of times on our many RHEL servers that has SELinux and auditing
enabled.<br>
> ><br>
> > -- M<br>
> ><br>
> > ________________________________<br>
> > From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall [mhall@mhcomputing.net]<br>
> > Sent: Monday, September 20, 2010 7:53 PM<br>
> > To: Syslog-ng users' and developers' mailing list<br>
> > Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
> ><br>
> > On Mon, Sep 20, 2010 at 05:44:10PM -0600, syslogng@feystorm.net wrote:<br>
> > > Your first line should be working. Not sure why it is not.<br>
> > > However you can try using: not message('Audit daemon rotating log<br>
> > > files' flags('ignore-case'))<br>
> > > Simpler and does exactly what your old config did.<br>
> ><br>
> > My only guess so far besides an outright bug: the message is formatted<br>
> > wrong inside the Syslog packet and the packet parser behavior changed<br>
> > from the old version to the new version in such a way that the macros<br>
> > are not being populated with the strings we expect.<br>
> ><br>
> > However I have set up several PCRE filters against message content using<br>
> > 3.1 and have not seen anything broken. So the bug possibility seems<br>
> > unlikely compared to an issue parsing the particular string.<br>
> ><br>
> > It would be helpful if we could get the tshark -V or full Wireshark<br>
> > payload of a message that fails to decode so we could see what was<br>
> > contained in the original packet.<br>
> ><br>
> > Matthew.<br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> ><br>
> ><br>
> > ________________________________<br>
> > CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you
are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email,
any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
> ><br>
> > EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this
technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical
data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand
and will comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
> ><br>
> > ________________________________<br>
> > CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you
are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email,
any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
> ><br>
> > EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this
technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical
data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand
and will comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
> <br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> ><br>
> <br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> <br>
> <br>
> ________________________________<br>
> CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you
are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email,
any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
> <br>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
> <br>
> ________________________________<br>
> CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you
are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email,
any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
> <br>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
<br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> <br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div>
</font><br>
<hr>
<font face="Arial" color="Gray" size="1">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
</body>
</html>