<div dir="auto"><div dir="auto">Thanks.</div>Is there any way to disable this for tcp?<div dir="auto">I.e. just send the message as is</div><div dir="auto"><br></div><div dir="auto">Raghu</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 3, 2019, 19:37 Attila Szakacs (aszakacs) <<a href="mailto:Attila.Szakacs@oneidentity.com">Attila.Szakacs@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
The tcp destination uses RFC3164 protocol by default.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<a href="https://tools.ietf.org/html/rfc3164#section-4.1" target="_blank" rel="noreferrer">https://tools.ietf.org/html/rfc3164#section-4.1</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Best regards,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Attila</div>
<div id="m_8378992053296725883appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_8378992053296725883divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" target="_blank" rel="noreferrer">funduraghu@gmail.com</a>><br>
<b>Sent:</b> Tuesday, December 3, 2019 2:07 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Support for netflow logs</font>
<div> </div>
</div>
<div>
<div style="background-color:#ffeb9c;width:100%;border-style:solid;border-color:#9c6500;border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:'Calibri';color:Black;text-align:left">
<span style="color:#9c6500;font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="auto">Hi,
<div dir="auto"><br>
</div>
<div dir="auto">I observe that timestamp and host is getting added to my netflow log before being forwarded even though I am</div>
<div dir="auto">using pure tcp driver for output and not syslog.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Raghu</div>
</div>
<br>
<div>
<div dir="ltr">On Mon, Dec 2, 2019, 20:49 Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" target="_blank" rel="noreferrer">funduraghu@gmail.com</a>> wrote:<br>
</div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">Thanks.</div>
<br>
<div>
<div dir="ltr">On Mon, Dec 2, 2019, 18:02 Laszlo Szemere (lszemere) <<a href="mailto:Laszlo.Szemere@oneidentity.com" rel="noreferrer noreferrer" target="_blank">Laszlo.Szemere@oneidentity.com</a>> wrote:<br>
</div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Raghu,<br>
Netflow is indeed a binary protocol. Since Syslog-ng is a text based log management system, I think your only option is to find some kind of "gateway" for the Netflow traffic.<br>
<br>
The gateway should be able to receive and convert those packets into a text format. (At this point you will certainly loose some information, since not all network related bytes can be converted into a printable character. Or you should use some encoding on
it.)<br>
This gateway might run as a stand alone application, or you can integrate it into Syslog-ng as a program (or python) source.<br>
<br>
Best regards,<br>
Laci<br>
<br>
________________________________________<br>
From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer noreferrer noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Pal, Laszlo <<a href="mailto:vlad@vlad.hu" rel="noreferrer noreferrer noreferrer" target="_blank">vlad@vlad.hu</a>><br>
Sent: Wednesday, November 27, 2019 14:03<br>
To: Syslog-ng users' and developers' mailing list<br>
Subject: Re: [syslog-ng] Support for netflow logs<br>
<br>
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
I'm also interested in this. As I know there is no native netflow input in syslog-ng and when I did some research on it, it is not very easy. Logstash has a native netflow input and output, but it seems this is abandoned and not very stable. nxLog also support
netflow but I'm not sure if it is only in the enterprise version or it is available in the CE too<br>
<br>
L:<br>
<br>
<br>
On Wed, Nov 27, 2019 at 1:58 PM Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">funduraghu@gmail.com</a><mailto:<a href="mailto:funduraghu@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">funduraghu@gmail.com</a>>>
wrote:<br>
Hi,<br>
<br>
I was trying to receive Netflow logs from firewall devices in syslog-ng and then forward to a central server.<br>
Does syslog-ng support netflow such that I can validate and filter out all non-netflow log lines?<br>
I also dumped some netflow logs to a file and found it to be binary. Therefore I haven't been able to ascertain the format and filtering mechanism.<br>
<br>
Any pointers on this topic would be helpful.<br>
<br>
Thanks<br>
Raghu<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463198370&sdata=85l75FHhoJ7%2Fl%2FLPMhe8OuP6ZY00oRpgW38XZFcigeY%3D&reserved=0</a>><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761337009&sdata=IkGk%2FeYDG1YVj0MXXz5OpED%2FK2WbRNB46FH6s7i9G5s%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=SkqwXemh1nXMKQ7UeN8FdfgObCyl4jX%2FOvLvcfR3GYI%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=Dw5MDQ3N1r%2FZ1W9L3hoA%2FRq5I0qzKs16IFrwWEkwaGk%3D&reserved=0</a>><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=gBu6ntJVMDzUFIomTQM86CAzk7SN5atwiSSWBqvFG%2Fo%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
http://www.balabit.com/wiki/syslog-ng-faq</a><<a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761357002&sdata=HDZsg6wF7%2BFtfDAnmAjkMZRYFY3kfPJF7fzS8HdnyyU%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=nTLrYU59%2FG%2FRC6SxO83BWiBMb1qeHZ2z%2F%2FuEjJWddmo%3D&reserved=0</a>><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=GT%2FO7sk1mPBq5PGF9tKpDGIKYpvw4DxMzd3kyG5cTc4%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=30ufxme6bpnW%2FcgefyU7ev4vlZG2euU7np8yOxIKMBQ%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761376993&sdata=aZUEc6FiO8aGHByNCSkY4BQzpVWaVE6CiPnorO7VxPg%3D&reserved=0" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote></div>