<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">It really depends on the format of your
stored message files. If any information is missing, then you
can't expect to recreate the original source messages.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">We store the messages in a format
defined as</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">template("<$PRI>$ISODATE
$FULLHOST $FACILITY.$LEVEL $MSGHDR$MESSAGE\n");</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">which looks like</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">2023-04-13T06:15:01.613-07:00
my.host.name cron.info CROND[662460]: (root) CMD
(/usr/local/sbin/fscheck)<br>
<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">These messages can be read back with a
no-parse option from a named pipe</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">source s_replay {
pipe("/var/log/syslog.pipes/replay" log_iw_size(100000)
log_fetch_limit(5000) flags(no-parse) ); };<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">and parsed with a pattern database
(attached) with</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">parser p_rawsyslog {<br>
db_parser(<br>
file("/usr/local/etc/syslog-ng/patterndb.d/reprocess.xml")<br>
inject_mode(internal)<br>
);<br>
};<br>
<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">log {<br>
source(s_replay);<br>
parser(p_rawsyslog);</div>
<div class="moz-cite-prefix">...</div>
<div class="moz-cite-prefix">};</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Then sent to any destination with
templated values from the parsing.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">template t_replay {
template("<$pri>$parsedate $parsehost $parsemessage\n");
template_escape(no); };<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">message files can be fed into this by
the command</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">cat log.file.name >>
/var/log/syslog.pipes/replay</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Hope that helps as a starting point.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Evan<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023-04-13 04:45, Dragan Zecevic
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:PAWPR10MB78683E600767339A8ABC49E3F7989@PAWPR10MB7868.EURPRD10.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<br>
<div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof">
Hi,</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
we have syslog-ng Open Source Edition 3.33 and we are storing
syslog messages from some systems into log files locally on a
partition on syslog-ng server.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Each day those log files are compressed.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
In order to better analyze some logs if needed we would like
to extract some log files and ingest them to SIEM.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Is it possible to make some forwarder that will read these RAW
syslog messages from a log file and send them via syslog to
SIEM?</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Thank you.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Br,</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Dragan</div>
</div>
</blockquote>
<br>
</body>
</html>