<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><strong><span style='font-family:"Calibri","sans-serif"'>Classification: <span style='color:#33CC00'>Public</span></span></strong><br><br><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ha!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think I might have been trying to achieve the impossible – getting syslog-ng to covert multiline log messages into concatenated syslog messages.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That doesn’t appear to work. But I defined syslogd instance to direct local5.info messatges received from my syslog-ng client into a log file and all works fine! <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>more local5.log<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered ORA-01017: invalid username/passwo<o:p></o:p></p><p class=MsoNormal>rd; logon deniedUsername: Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<o:p></o:p></p><p class=MsoNormal>Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file With the P<o:p></o:p></p><p class=MsoNormal>artitioning, OLAP and Data Mining options Export file created by EXPORT:V10.02.01 via conventional path<o:p></o:p></p><p class=MsoNormal>Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered Warning: the objects were exported<o:p></o:p></p><p class=MsoNormal> by FALCON, not by you import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Using this config is syslog-ng.conf;<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>source s_table { file("<path to input multi-line log file>" multi-line-prefix("IMP") flags(no-parse) flags(no-multi-line)<o:p></o:p></p><p class=MsoNormal>program_override("Table") default-facility(local5) default-priority(info)); };<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>filter f_local5_info { facility(local5) and level(info); };<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> and with the destination defined as a udp IP address to port 514;<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>log { source(s_table); filter(f_local5_info); destination(d_syslog_udp); };<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As the desire is to get multiline non-syslog logs off-host to Qradar as syslog messages, that’s the POC passed fine!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div><br><p>Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1
1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank
plc. Registered Office: 25 Gresham Street, London EC2V 7HN.
Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of
Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham &
Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered
in England and Wales 2299428. Telephone: 0345 603 1637</p>
<p>Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority and
Prudential Regulation Authority.</p>
<p>Cheltenham & Gloucester plc is authorised and regulated by the Financial
Conduct Authority.</p>
<p>Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester
Savings is a division of Lloyds Bank plc.</p>
<p>HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC218813.</p>
<p>This e-mail (including any attachments) is private and confidential and may
contain privileged material. If you have received this e-mail in error, please
notify the sender and delete it (including any attachments) immediately. You
must not copy, distribute, disclose or use any of the information in it or any
attachments. Telephone calls may be monitored or recorded.</p>
</body></html>