<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.m150039684065140873gmail-tl8wme
{mso-style-name:m_150039684065140873gmail-tl8wme;}
span.m150039684065140873m-8267404174768494788apple-converted-space
{mso-style-name:m_150039684065140873m-8267404174768494788apple-converted-space;}
span.m150039684065140873m-8267404174768494788phrase
{mso-style-name:m_150039684065140873m-8267404174768494788phrase;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Perfect, thanks for the help and advice, very useful<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu]
<b>On Behalf Of </b>Fekete, Róbert<br>
<b>Sent:</b> 18 May 2017 12:55<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] use of Syslog-ng to filter logs for forwarding to Splunk<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, you can do that with OSE. Which OSE version you need depends on how you want to send the logs to Splunk. For example, the http() destination referenced in the first blogpost needs a fairly recent version (at least 3.8 I think). Another
(somewhat less sophisticated) option is to write the logs into files, and have Splunk to read those files - that can be done with older syslog-ng versions as well. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You can find links to recent packages at <a href="https://syslog-ng.org/3rd-party-binaries/">https://syslog-ng.org/3rd-party-binaries/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, May 18, 2017 at 1:45 PM, Stuart Martin <<a href="mailto:S.Martin@sstl.co.uk" target="_blank">S.Martin@sstl.co.uk</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Robert,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Great, thanks for coming back to me so quickly with very useful information. Can I just confirm that
the OSE will support this, don’t need Premium or anything?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Many Thanks</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Kind Regards</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Stuart</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng
[mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>Fekete, Róbert<br>
<b>Sent:</b> 18 May 2017 12:37<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] use of Syslog-ng to filter logs for forwarding to Splunk</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi Stuart, <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Although it is not explicitly mentioned in the docs (I should add a section sometime), syslog-ng can do this. You can find more details about it in these Splunk blogposts: <o:p></o:p></p>
</div>
<div>
<div id="m_150039684065140873gmail-:m1.co">
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:m5.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span class="m150039684065140873gmail-tl8wme"><span style="font-size:10.0pt;color:#263238"><a href="https://www.google.com/url?q=https%3A%2F%2Fwww.splunk.com%2Fblog%2F2017%2F03%2F30%2Fsyslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html&sa=D&sntz=1&usg=AFQjCNHA6B3pNK8iYkhvMNKJAofoQBv9NA" target="_blank"><span style="color:#263238">https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html</span></a></span></span><o:p></o:p></p>
</div>
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:n3.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span class="m150039684065140873gmail-tl8wme"><span style="font-size:10.0pt;color:#263238"><a href="https://www.google.com/url?q=https%3A%2F%2Fwww.splunk.com%2Fblog%2F2016%2F03%2F11%2Fusing-syslog-ng-with-splunk%2F&sa=D&sntz=1&usg=AFQjCNFszFq3emOTowQPzMgYOMdJ_txVEQ" target="_blank"><span style="color:#263238">https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk/</span></a></span></span><o:p></o:p></p>
</div>
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:n3.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span style="font-size:10.0pt;color:#263238"> </span><o:p></o:p></p>
</div>
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:n3.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span style="font-size:10.0pt;color:#263238">HTH, </span><o:p></o:p></p>
</div>
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:n3.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span style="font-size:10.0pt;color:#263238">Robert</span><o:p></o:p></p>
</div>
<div style="margin-left:6.75pt;margin-right:6.75pt;margin-bottom:4.5pt;opacity:1;word-wrap:break-word;word-break:break-word" id="m_150039684065140873gmail-:n3.ma">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt">
<span style="font-size:10.0pt;color:#263238"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Thu, May 18, 2017 at 1:12 PM, Stuart Martin <<a href="mailto:S.Martin@sstl.co.uk" target="_blank">S.Martin@sstl.co.uk</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We are looking to collect logs from servers and devices in our DMZ and then filter the logs of unnecessary information to then be sent to our internal Splunk instance.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Would Syslog-ng OSE edition be capable of this task?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’ve started to read through your excellent documentation for the OSE edition, I was wondering what route I should take to configure it for the scenario described above? The link
I am thinking is correct is the “<span style="font-family:"Verdana",sans-serif;color:black;background:white">To configure<span class="m150039684065140873m-8267404174768494788apple-converted-space"> </span><span class="m150039684065140873m-8267404174768494788phrase">syslog-ng
OSE</span><span class="m150039684065140873m-8267404174768494788apple-converted-space"> </span>as a relay that receives log messages from client hosts and forwards them to a central logserver, see<span class="m150039684065140873m-8267404174768494788apple-converted-space"> </span></span><a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configure-servers.html" target="_blank" title="4.2. Procedure – Configuring syslog-ng on server hosts"><i><span style="font-family:"Verdana",sans-serif;color:#1D5987;background:white">Procedure
4.2, Configuring syslog-ng on server hosts</span></i></a><span style="font-family:"Verdana",sans-serif;color:black;background:white">.”</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Verdana",sans-serif;color:black;background:white"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Does that sound correct?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Many Thanks<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kind Regards<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>Stuart Martin</b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#003180">Infrastructure Security Engineer</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Surrey Satellite Technology Ltd<br>
Tycho House, 20 Stephenson Road, Surrey Research Park, Guildford, GU2 7YE<br>
<br>
Tel: <a href="tel:+44%201483%20803803" target="_blank">+44 (0)1483 803803</a> | Fax:
<a href="tel:+44%201483%20803804" target="_blank">+44 (0)1483 803804</a> | Email: <a href="mailto:s.martin@sstl.co.uk" target="_blank">s.martin@sstl.co.uk</a>
<br>
</span><a href="http://www.sstl.co.uk/" target="_blank" title="http://www.sstl.co.uk/"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">www.sstl.co.uk</span></a><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> <a href="http://twitter.com/SurreySat" target="_blank" title="http://twitter.com/SurreySat">http://twitter.com/SurreySat</a><span style="color:blue"> </span></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:Webdings;color:#669900">P
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#669900">Please consider the environment before printing this e-mail</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#484445">This e-mail and any attachments may contain confidential and privileged information. If you are not the
intended recipient, please notify the sender <br>
immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the
<br>
intended recipient is unauthorized and may be illegal. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black"> </span></b><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><b><span style="color:black">
<hr size="2" width="100%" align="center">
</span></b></div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">The information contained in this message is intended for the addressee only and may contain sensitive information. If you are not the addressee, please
delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the individual(s) and not necessarily of the organisation. No reliance
may be placed on this message without written confirmation from an authorised representative of its contents. No guarantee is implied that this message or any attachment is virus free or has not been intercepted and amended.</span><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><b><span style="color:black">
<hr size="2" width="100%" align="center">
</span></b></div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><b><span style="color:black"><o:p> </o:p></span></b></p>
<div class="MsoNormal" align="center" style="text-align:center"><b><span style="color:black">
<hr size="2" width="100%" align="center">
</span></b></div>
<p class="MsoNormal"><span style="color:black">The information contained in this message is intended for the addressee only and may contain sensitive information. If you are not the addressee, please delete this message and notify the sender; you should not
copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the individual(s) and not necessarily of the organisation. No reliance may be placed on this message without written confirmation
from an authorised representative of its contents. No guarantee is implied that this message or any attachment is virus free or has not been intercepted and amended.<b><o:p></o:p></b></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><b><span style="color:black">
<hr size="2" width="100%" align="center">
</span></b></div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<html><div><br></div></html>
<font bgcolor="#ffffff" color="#000000"><b><br><hr>
</b>The information contained in this message is intended for the addressee only and may contain sensitive information. If you are not the addressee, please delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the individual(s) and not necessarily of the organisation. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. No guarantee is implied that this message or any attachment is virus free or has not been intercepted and amended.<b><br><hr></b></font>
</body>
</html>