<div dir="ltr"><div><div><div>Hi,<br></div><br>What do you try to achieve? Sending syslog messages to OSquery or collecting OSquery logs by syslog-ng?<br><br></div>/me now has a test environment installed<br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/author/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div></div></div>
<br><div class="gmail_quote">On Mon, Apr 17, 2017 at 4:32 PM, Dwijadas Dey <span dir="ltr"><<a href="mailto:dwijad@gmail.com" target="_blank">dwijad@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div>Hi<br></div> Robert<br></div> You are right, i am trying the same with a named pipe so that OSQUERY consume syslogs as pointed by Evan. There are plenty of documents showing the same with rsyslog but not with syslog-ng.<br><br></div>This is what my syslog configuration for osquery:-<br><br>/etc/syslog-ng/conf.d/osquery.<wbr>conf<br><br>source s_osquery {<br> # system();<br> pipe("/var/osquery/syslog_<wbr>pipe");<br> # unix-stream("/dev/log");<br>};<br>#filter osqueryd {<br> # program("^osqueryd.*");<br>#};<br>destination d_osquery {<br> file("/var/log/osquery/<wbr>osqueryd.results.log" template("$(format-json --scope selected_macros --scope nv_pairs)\n"));<br>};<br>log {<br> source(s_osquery);<br> # filter(osqueryd);<br> destination(d_osquery);<br>};<br><br></div>But this does not produce any logs for OSQUERY. I have checked , the name piped has been created.<br><br># ls -l /var/osquery/syslog_pipe<br>pr--rw---- 1 root adm 0 Apr 14 15:41 /var/osquery/syslog_pipe<br><br>But when i try to check what logs are passing through the pipe using following command, no message shows up.<br># cat /var/osquery/syslog_pipe<br><br></div><div>I have correct options set in OSQUERY configuration file in /etc/osquery/osquery.conf.<br><br>..................<br>..................<br> "logger_plugin": "syslog",<br>"enable_syslog": "true",<br>"syslog_pipe_path": "/var/osquery/syslog_pipe",<br>..................<br>..................<br></div>I think Evan can point me the right configuration for syslog-ng ( version 3.5.6 in ubuntu 16 )<br><br></div>Regards<div><div class="h5"><br><div><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 17, 2017 at 6:24 PM, Fekete, Róbert <span dir="ltr"><<a href="mailto:robert.fekete@balabit.com" target="_blank">robert.fekete@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi, <br><br></div>It seems that by default, osquery logs JSON messages into a file. ( <a href="https://osquery.readthedocs.io/en/latest/deployment/logging/" target="_blank">https://osquery.readthedocs.io<wbr>/en/latest/deployment/logging/</a> )<br></div>You can use this file in a syslog-ng source, and parse the JSON messages with the json parser (note that you need a recent syslog-ng OSE for this), see <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/json-parser.html" target="_blank">https://www.balabit.com/docume<wbr>nts/syslog-ng-ose-latest-<wbr>guides/en/syslog-ng-ose-guide-<wbr>admin/html/json-parser.html</a> .<br><br><br></div>The above Osquery page mentions that it can send log messages directly to syslog (instead of a file), but I haven't found how you can actually configure it.<br><br></div><div>Regards, <br><br></div><div>Robert<br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_-3763707499530419432h5">On Fri, Apr 14, 2017 at 9:46 PM, Dwijadas Dey <span dir="ltr"><<a href="mailto:dwijad@gmail.com" target="_blank">dwijad@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_-3763707499530419432h5"><div dir="ltr"><div><div><div>Hi<br></div> List users<br></div> Is it possible to send OSQUERY logs to syslog-ng 3.5 In the <a href="https://osquery.readthedocs.io/en/latest/deployment/syslog/" target="_blank">OSQUERY docs</a> rsyslog is configured to write logs to syslog. Does the same method applies to syslog-ng 3.5 ?<br><br></div>Thanks and regards<br></div>
<br></div></div>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>