<div dir="ltr"><div class="gmail_extra">Hi Scot,</div><div class="gmail_extra"><br></div><div class="gmail_extra">syslog-ng in its premium edition offers logstore:</div><div class="gmail_extra"><a href="https://www.balabit.com/documents/syslog-ng-pe-6.0-guides/en/syslog-ng-pe-guide-admin/html-single/index.html#configuring-destinations-logstore">https://www.balabit.com/documents/syslog-ng-pe-6.0-guides/en/syslog-ng-pe-guide-admin/html-single/index.html#configuring-destinations-logstore</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">Disclaimer: I'm employed by Balabit (being the product manager of syslog-ng there) I don't want to push anything here, the only reason I wrote this is because I felt there is an exact match with what you required and by checking the above documentation you can at least see whether this is indeed the functionality what you are after.</div><div class="gmail_extra"><br></div><div class="gmail_extra">/Istvan</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Date: Thu, 8 Sep 2016 21:56:55 -0400<br>
From: Scot Needy <<a href="mailto:scotrn@gmail.com">scotrn@gmail.com</a>><br>
Subject: Re: [syslog-ng] Archive module ?<br>
To: Syslog-ng users' and developers' mailing list<br>
<<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
Message-ID: <<a href="mailto:3E22C1C9-9275-41F4-A583-F140CAF611A6@gmail.com">3E22C1C9-9275-41F4-A583-<wbr>F140CAF611A6@gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
<br>
That looks like it would work but if the source isn?t syslog data ?<br>
<br>
I pondered this question when looking at the disk buffer settings in 3.8.<br>
If my data is in ES, MySQL or some other parsed presentation platform then all I really need to write out blocks of raw data to disk and archive for SOX compliance.<br>
<br>
Let the storage archive, compress, encrypt and de-dup.<br>
<br>
Just<br>
<br>
<br>
> On Sep 8, 2016, at 5:48 PM, Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>
><br>
> You would have to use a syslog-ng template defined as<br>
><br>
> "<$PRI>$ISO_DATE $FULLHOST $MSGHDR$MESSAGE\n"<br>
><br>
> and that would be the "on the wire" format. The you can netcat this to the syslog port which would replay the log.<br>
><br>
> Evan.<br>
><br>
> On 09/08/2016 02:39 PM, Scot Needy wrote:<br>
>> Thanks Even,<br>
>><br>
>> Maybe I?m doing something wrong.<br>
>> I see some of the headers but not all.<br>
>><br>
>> 2016-09-08T17:31:17-04:00 <IPADDR> <HOST> %ASA-3-305006: regular translation creation failed for imp src ?.<br>
>><br>
>> I guess what I was looking for is something that I could write blocks of data to and read from irregardless of the type of data.<br>
>> Something almost like tcpdump or buffer that could rotate every hour or so and then be used to re-play directly back into syslog-ng.<br>
>><br>
>> Log > YYYY.MM.DD.HH_compressed_data.<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>>> On Sep 8, 2016, at 5:13 PM, Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> <mailto:<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>
>>><br>
>>> If you write the syslog data to a file with all of the data, then it can be ingested again.<br>
>>><br>
>>> We save the data to the files like<br>
>>><br>
>>> 2016-09-08T00:00:01-07:00 host.name.here <a href="http://mail.info" rel="noreferrer" target="_blank">mail.info</a> sm-mta[9521]: u887019I009521: milter=mimedefang, action=rcpt, continue<br>
>>><br>
>>> and then we have a syslog-ng pattern database that will turn this back into an "on the wiire" format that can be sent to any syslog port.<br>
>>><br>
>>> Alternatively, you could save it in the file as the original format, and then it can just be sent back to syslog when you need to. Human readablility is not quite as good, but if you have the data in splunk or whatever, then humans don't need to read the raw files.<br>
>>><br>
>>> Evan.<br>
>>><br>
>>><br>
>>> On 09/08/2016 01:32 PM, Scot Needy wrote:<br>
>>>> Hi All,<br>
>>>><br>
>>>> Is there a better way to archive my syslog data once it?s been received and injected into elk,spunk or whatever ?<br>
>>>><br>
>>>> I see how I can log my data to flat files using date macros then compress and archive as normal data but is there a better way to write out the data in the same format it was received to facilitate re-injesting ?<br>
>>>><br>
>>>> For example: My syslog data on file does not include the original syslog header data .<br>
>>>><br>
>>>> Syslog is just one example.<br>
>>>><br>
>>>><br>
>>> ______________________________<wbr>______________________________<wbr>__________________<br>
>>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a> <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
>>> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a> <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
>>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a> <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
>>><br>
>> ______________________________<wbr>______________________________<wbr>__________________<br>
>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a> <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
>> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a> <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a> <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
>><br>
><br>
><br>
> --<br>
> Evan Rempel <a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a> <mailto:<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>><br>
> Senior Systems Administrator <a href="tel:250.721.7691" value="+12507217691">250.721.7691</a><br>
> Data Centre Services, University Systems, University of Victoria<br>
> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160908/552cf5bf/attachment.htm" rel="noreferrer" target="_blank">http://lists.balabit.hu/<wbr>pipermail/syslog-ng/<wbr>attachments/20160908/552cf5bf/<wbr>attachment.htm</a><br>
<br>
------------------------------<br>
<br>
______________________________<wbr>_________________<br>
syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
<br>
<br>
End of syslog-ng Digest, Vol 137, Issue 11<br>
******************************<wbr>************<br>
</blockquote></div><br></div></div>