<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 12px; font-family: Courier, sans-serif;">
<div>Hi</div>
<div><br>
</div>
<div>I hope someone can help me!</div>
<div><br>
</div>
<div>The syslog-ng in our environment sends syslog messages using tls to our SIEM (Qradar). The following is the configuration of the syslog-ng (ip changed):</div>
<div><br>
</div>
<div>
<blockquote style="margin:0 0 0 40px; border:none; padding:0px;">
<div># First, set some global options.</div>
<div>options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no);</div>
<div> owner("root"); group("adm"); perm(0640); stats_freq(0);</div>
<div> bad_hostname("^gconfd$");</div>
<div>};</div>
<div><br>
</div>
<div>destination d_qradar_tls {tcp(„1.2.3.4" port(6514) tls( peer-verify(required-untrusted) ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };</div>
<div>destination d_qradar_local { file("/tmp/qradar_local"); };</div>
<div>source s_testlog {</div>
<div> file("/tmp/testlog" flags(no-parse)); };</div>
<div>log {</div>
<div> source(s_testlog);</div>
<div> destination(d_qradar_local);</div>
<div> destination(d_qradar_tls);</div>
<div>};</div>
</blockquote>
</div>
<div><br>
</div>
<div>When I insert a message into the testlog it is parsed and written into the local destination „d_qradar_local“ but not sent to the remote destination. Syslog-NG in debugging mode (syslog-ng –Fevdt) shows the following:</div>
<div><br>
</div>
<div>
<blockquote style="margin:0 0 0 40px; border:none; padding:0px;">
<div>…</div>
<div>Syslog connection established; fd='7', server=‚AF_INET(1.2.3.4:6514)', local='AF_INET(0.0.0.0:0)'</div>
<div>Incoming log entry; line='test'</div>
<div>Initializing destination file writer; template='/tmp/qradar_local', filename='/tmp/qradar_local'</div>
<div>Destination timed out, reaping; template='/tmp/qradar_local', filename='/tmp/qradar_local'</div>
<div>Closing log transport fd; fd=’15'</div>
</blockquote>
</div>
<div><br>
</div>
<div>Using tcpdump to check if some packets are sent to Qradar reveals that only the first insertion of a message into the testlog after a restart of syslog-ng leads to a packet sent to Qradar. Every other insertion has no effect on the remote destination but
is always inserted into the local destination (file). Also during the start of syslog-ng two packets are sent to qradar.</div>
<div><br>
</div>
<div>I’ve also opened a ticket at IBM and awating response.</div>
<div><br>
</div>
<div>Thank you very much in advance for any help on this!</div>
<div><br>
</div>
<div>Kind regards, Stefan</div>
<div>
<div>--</div>
<div style="font-size: 14px; "><span class="Apple-style-span" style="font-size: 12px;">University of Bern</span></div>
<div style="font-size: 14px; "><span class="Apple-style-span" style="font-size: 12px;">IT Services Department</span></div>
<div style="font-size: 14px; "><br>
</div>
</div>
</body>
</html>