<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">I observe that timestamp and host is getting added to my netflow log before being forwarded even though I am</div><div dir="auto">using pure tcp driver for output and not syslog.</div><div dir="auto"><br></div><div dir="auto">Raghu</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 2, 2019, 20:49 Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com">funduraghu@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Thanks.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 2, 2019, 18:02 Laszlo Szemere (lszemere) <<a href="mailto:Laszlo.Szemere@oneidentity.com" target="_blank" rel="noreferrer">Laszlo.Szemere@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Raghu,<br>
Netflow is indeed a binary protocol. Since Syslog-ng is a text based log management system, I think your only option is to find some kind of "gateway" for the Netflow traffic.<br>
<br>
The gateway should be able to receive and convert those packets into a text format. (At this point you will certainly loose some information, since not all network related bytes can be converted into a printable character. Or you should use some encoding on it.)<br>
This gateway might run as a stand alone application, or you can integrate it into Syslog-ng as a program (or python) source.<br>
<br>
Best regards,<br>
Laci<br>
<br>
________________________________________<br>
From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Pal, Laszlo <<a href="mailto:vlad@vlad.hu" rel="noreferrer noreferrer" target="_blank">vlad@vlad.hu</a>><br>
Sent: Wednesday, November 27, 2019 14:03<br>
To: Syslog-ng users' and developers' mailing list<br>
Subject: Re: [syslog-ng] Support for netflow logs<br>
<br>
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
I'm also interested in this. As I know there is no native netflow input in syslog-ng and when I did some research on it, it is not very easy. Logstash has a native netflow input and output, but it seems this is abandoned and not very stable. nxLog also support netflow but I'm not sure if it is only in the enterprise version or it is available in the CE too<br>
<br>
L:<br>
<br>
<br>
On Wed, Nov 27, 2019 at 1:58 PM Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" rel="noreferrer noreferrer" target="_blank">funduraghu@gmail.com</a><mailto:<a href="mailto:funduraghu@gmail.com" rel="noreferrer noreferrer" target="_blank">funduraghu@gmail.com</a>>> wrote:<br>
Hi,<br>
<br>
I was trying to receive Netflow logs from firewall devices in syslog-ng and then forward to a central server.<br>
Does syslog-ng support netflow such that I can validate and filter out all non-netflow log lines?<br>
I also dumped some netflow logs to a file and found it to be binary. Therefore I haven't been able to ascertain the format and filtering mechanism.<br>
<br>
Any pointers on this topic would be helpful.<br>
<br>
Thanks<br>
Raghu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463198370&sdata=85l75FHhoJ7%2Fl%2FLPMhe8OuP6ZY00oRpgW38XZFcigeY%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463198370&sdata=85l75FHhoJ7%2Fl%2FLPMhe8OuP6ZY00oRpgW38XZFcigeY%3D&reserved=0</a>><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=Dw5MDQ3N1r%2FZ1W9L3hoA%2FRq5I0qzKs16IFrwWEkwaGk%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=Dw5MDQ3N1r%2FZ1W9L3hoA%2FRq5I0qzKs16IFrwWEkwaGk%3D&reserved=0</a>><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=nTLrYU59%2FG%2FRC6SxO83BWiBMb1qeHZ2z%2F%2FuEjJWddmo%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=nTLrYU59%2FG%2FRC6SxO83BWiBMb1qeHZ2z%2F%2FuEjJWddmo%3D&reserved=0</a>><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
</blockquote></div>