<div dir="auto">Great to see that the Linux Audit parser and grouping-by() is finally getting used. Would be great if you could summarize your use case and the solution in a blog post somewhere. <div dir="auto"><br></div><div dir="auto">Maybe this could even be published in the <a href="http://syslog-ng.com">syslog-ng.com</a> blog if you don't have anywhere else to post.<div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto">Bazsi</div><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 4, 2020, 09:56 Maciek Solnicki <<a href="mailto:msolnicki@gmail.com">msolnicki@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Gabor,<div><br></div><div>My use case is this: save every command issued in the Linux system. <b>Auditd </b>is a great tool for the job, but it produces logs multiline, which makes them hard to use in external log management solutions. Sure, I could do multiline aggregation on the external system side, but if I would have multiple linux systems sending logs, and from each such system I would need to aggregate multiline logs, it could take a considerable amount of processing power for the log management system. Hence the idea to do it locally, before sending logs out. It also gives me possibility to only forward logs with fields which are of interest to me, skipping everything else:</div><div><br></div><div><div> destination {</div><div> network(</div><div> "192.168.1.40"</div><div> port(10514)</div><div> log-fifo-size(10000)</div><div> template("$(format-json <b>exe cwd a* success pid msg</b>)\n")</div><div> );</div></div><div><br></div><div>I can clearly see in the output logs that correlation works as intended in this configuration. Several logs are concatenated into one based on the key <b>msg</b>. If I understand correctly it is because of this option: <b>inherit-mode(context)</b> which is default. I have set a new value-pair only to see if it works and have something to grep for.</div><div><br></div><div>Example from documentation which you provided is not really useful for my use case - in this example, number of correlated messages is known, so you can explicitly state, which fields from which correlated messages are to be copied to output message. But in my case, I do not know how many messages will be correlated, hence I cannot use statements such as <b>${<field_name>}@<correlated_message_number>.</b></div><div><b><br></b></div><div>But it is just a digression, since my config works as intended, I have no further questions and I thank you all for help :-)</div><div><br></div><div>Kind regards</div><div>Maciej</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">wt., 3 lis 2020 o 17:34 Gabor Nagy (gnagy) <<a href="mailto:Gabor.Nagy@oneidentity.com" target="_blank" rel="noreferrer">Gabor.Nagy@oneidentity.com</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Hi Maciek!<br>
<br>
I've checked the documentation and I've found documentation bug about an example for value() option:<br>
<a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/86#TOPIC-1431237" id="m_-1888593610856641842gmail-m_-4440972856344943269LPlnk707875" target="_blank" rel="noreferrer">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/86#TOPIC-1431237</a><br>
<br>
Thanks for your notice, I've checked the whole chapter of grouping-by!<br>
About improving the documentation:<br>
I admit that the chapter where grouping-by() options listed is a bit dense in case of the value() in the aggregate() option.<br>
We will discuss this with the doc writer team, when they process the grouping-by() parser example config bug I've reported.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
Otherwise, I think Fabien helped you find out where is the problem: in your destination side template, you only include the .auditd. macros, which have been parsed by linux-auditd-parser().<br>
$MESSAGE macro was missing from the template which is set by the grouping-by parser.<br>
<br>
<span style="background-color:rgb(255,255,255);display:inline">I don't know your use case, but<span> </span></span>I think your current solution lacks any usage of correlation: even though you set a new name-value pair in the aggregated message
(.auditd.test), it's basically the same message as the last message that arrived into the same context.<br>
As Fabien said, you will see that same message twice (the last message before the timeout expired).<br>
The above link shows a good example (I'm copying a fixed version of it) what you can do with message contexts:<br>
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
aggregate(</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
...<br>
value('MESSAGE' 'An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}')<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
Regards,<br>
Gabor<br>
<br>
</div>
<div id="m_-1888593610856641842gmail-m_-4440972856344943269appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_-1888593610856641842gmail-m_-4440972856344943269divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Fabien Wernli <<a href="mailto:wernli@in2p3.fr" target="_blank" rel="noreferrer">wernli@in2p3.fr</a>><br>
<b>Sent:</b> Tuesday, November 3, 2020 15:32<br>
<b>To:</b> Maciek Solnicki <<a href="mailto:msolnicki@gmail.com" target="_blank" rel="noreferrer">msolnicki@gmail.com</a>><br>
<b>Cc:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Requesting help with Grouping-by function</font>
<div> </div>
</div>
<div><font size="2"><span style="font-size:11pt">
<div>CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hi,<br>
<br>
If you want to see more Macros in json you can use scopes, for instance:<br>
<br>
format-json -s nv-pairs # all generic non-dot macros<br>
format-json -s all-nv-pairs # all generic macros<br>
format-json -s everything # as advertised<br>
<br>
cheers<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qHmBE%2BaE5kDGmXbGg2E1KdJCKmHp1%2Bw62Uy7BupqlLM%3D&reserved=0" target="_blank" rel="noreferrer">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qHmBE%2BaE5kDGmXbGg2E1KdJCKmHp1%2Bw62Uy7BupqlLM%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=l0Y1NnxYxEyQstr7N%2Bp%2BKkLTIMvUt6ATDec8B18ufZo%3D&reserved=0" target="_blank" rel="noreferrer">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=l0Y1NnxYxEyQstr7N%2Bp%2BKkLTIMvUt6ATDec8B18ufZo%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dp%2FGkudcz87cnFnuj12bSKjc4TZP1YsoWZnHi1uHmXE%3D&reserved=0" target="_blank" rel="noreferrer">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C5fb2a20040a54610eba508d8800559da%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637400107786812381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dp%2FGkudcz87cnFnuj12bSKjc4TZP1YsoWZnHi1uHmXE%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</div>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>