<div dir="ltr"><div><div>Hi,<br><br></div>As far as I can remember, this feature arrived with syslog-ng version 3.7. So you should install an unofficial version to use it: <a href="https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng">https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng</a><br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature">Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="http://czanik.blogs.balabit.com/" target="_blank">http://czanik.blogs.balabit.com/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div>
<br><div class="gmail_quote">On Tue, Nov 1, 2016 at 10:22 PM, Varugis Kurien <span dir="ltr"><<a href="mailto:vkurien@midfinsystems.com" target="_blank">vkurien@midfinsystems.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_4907673752196902306divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>When using a freshly installed version of U16.04, I found that the linux audit log parser does not seem to be installed.</p>
<p>For example: <font size="2"><span style="font-size:10pt"><br>
</span></font></p>
<p><font size="2"><span style="font-size:10pt"><br>
</span></font></p>
<p><font size="2"><span style="font-size:10pt"></span></font><span>syslog-ng --module-registry|grep audit</span> <-- returns nothing</p>
<p>==</p>
<p><br>
</p>
<ol>
<li>This started because I experienced a failure when trying to enable the linux audit parser:
<div><i>Error parsing parser expression, parser plugin linux-audit-parser not found in /etc/syslog-ng/conf.d/auditd.<wbr>log.conf at line 3, column 8:<br>
<wbr> <wbr> included from /etc/syslog-ng/syslog-ng.conf line 164, column 1<br>
<br>
linux-audit-parser(prefix(".<wbr>auditd."));</i></div>
</li><li>The corresponding conf file is below:</li></ol>
<i>source s_var_log_audit.log { file("/var/log/audit/audit.<wbr>log" flags(no-parse)); };</i><br>
<i>parser p_audit_syslog_parser {<br>
linux-audit-parser(prefix(".<wbr>auditd."));<br>
};<br>
<br>
log {<br>
source(s_var_log_audit.log);<br>
parser(p_audit_syslog_parser);<br>
destination(d_midfin_logger_2)<wbr>;<br>
};</i><br>
<br>
<p>The officially supported version of syslog-ng in ubuntu is 3.5.1.</p>
<p>==</p>
<p></p>
<div><i>syslog-ng 3.5.6<br>
Installer-Version: 3.5.6<br>
Revision: 3.5.6-2.1 [@416d315] (Ubuntu/16.04)<br>
Compile-Date: Oct 24 2015 03:49:19<br>
Available-Modules: json-plugin,csvparser,system-<wbr>source,tfgeoip,afsocket-notls,<wbr>afamqp,basicfuncs,affile,<wbr>afsocket-tls,dbparser,<wbr>afmongodb,cryptofuncs,afsmtp,<wbr>linux-kmsg-format,afuser,<wbr>redis,afsocket,afstomp,sysl\<br>
ogformat,confgen,afprog,afsql<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: on<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br>
</i></div>
<i><br>
</i>
<p></p>
<p><i></i>Do I need to install an unofficial version or is there some elementary mistake that I am making.</p>
<p>thanks</p><span class="HOEnZb"><font color="#888888">
<p>Varugis<br>
</p>
</font></span></div>
</div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>