December 2023 - syslog-ng - lists.balabit.hu

Syslog-ng Not Working properly
by Sumanta Banerjee 15 Jan '24

15 Jan '24

Hi Team, I am trying to configure syslog-ng in one our linux instance to get NGIPS/FMC data via udp connection on its default port (514). I have configured syslog-ng.conf under /etc/syslog-ng and then we have set SE Linux as Permissive. I am using RHEL 8.7 and syslog version 4.0. Apparently all looked good to me however while checking in the destination path that is mentioned I don't see any directory or logfile from for the said udp connection got created. Below is our observation and steps that we executed, can any of you please help me telling where I went wrong or if I am missing something, there is another testing in pipeline that is stalled for this - 1. Define source, destination and log_file in syslog-ng.conf (file attached). 2. Run the below SELinux command - # ausearch -c 'syslog-ng' --raw | audit2allow -M my-syslogng # semodule -X 300 -i my-syslogng.pp 1. Restart syslog-ng service - # systemctl restart syslog-ng.service (no error message received) 1. Check if the service is running - [cid:image002.png@01D99309.5147A9A0] 1. Check if syslog-ng is listening to udp port 514 - [cid:image003.png@01D99309.5147A9A0] 1. Checked and we have incoming data stream from source using the below command - tcpdump -i any -c10 -nn -A port 514 1. I have went through the syslog-ng troubleshooting steps mentioned in the link - https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edi… [cid:image004.png@01D9930B.D0B70940] syslog-ng -Fdev command output is also attached. 1. While running the following command got the below output - # watch '/usr/sbin/syslog-ng-ctl stats | grep "^center"' [cid:image005.png@01D99311.15E497D0] 1. # journaltctl command output (first 500 lines) attached 1. Current SE Linux status : [cid:image006.png@01D9931C.B8765370] 1. Our syslog-ng is logging to /var/log/messages and we are getting this message in /var/log/messages - [cid:image007.png@01D9931E.592725A0] Thanks & Regards, Sumanta Banerjee Splunk Admin | CISO | Aviva Group Tel: +91-8420892593 24x7x365: +44 1603 208 582 sumanta.banerjee(a)aviva.com<mailto:sumanta.banerjee@aviva.com> GlobalCyberSecurityEngineeringTeam(a)aviva.com<mailto:GlobalCyberSecurityEngineeringTeam@aviva.com> www.aviva.com<http://www.aviva.com> Wipro Technologies - SJP2, Bangalore, India [cid:image001.gif@01D99303.20AF3AC0] Aviva: Internal Aviva plc, registered Office: St. Helen's, 1 Undershaft, London EC3P 3DQ. Registered in England No. 02468686. www.aviva.com This message and any attachments may be confidential or legally privileged. If you are not the intended recipient, please telephone or e-mail the sender and delete this message and any attachments from your system. Also, if you are not the intended recipient you must not copy this message or attachments or disclose the contents to any other person. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Aviva.

2 4

Critical Severity Security Advisory: Apache Struts Vulnerability CVE-2023-50164
by Mayekar, PrachiX 16 Dec '23

16 Dec '23

Hi Team, Can you please confirm whether Syslog is affected by this vulnerability: Critical Severity Security Advisory: Apache Struts Vulnerability CVE-2023-50164 Thanks & Regards, Prachi Mayekar ITI-Network Services A Contingent Worker at Intel For assistance, please visit us at https://it.intel.com<https://it.intel.com/>

3 2

Insider 2023-12: compressed HTTP; packages; OpenObserve; duplicates;
by Peter Czanik (pczanik) 14 Dec '23

14 Dec '23

Dear syslog-ng users, This is the 115th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news. NEWS Compressing HTTP traffic in syslog-ng ------------------------------------- Network traffic is expensive in the cloud, and even a single syslog-ng instance can easily saturate the full bandwidth of a network connection. Compressing HTTP traffic was introduced in syslog-ng Version 4.4.0 and depending on your use case, you can cut down on your expenses on your networking or send more logs using the same budget or bandwidth. Development of this feature was done using a locally installed OpenResty web server, and later tested using Sumologic. However, according to the docs it should also work with Splunk, Elasticsearch, and many other services accessible using the http() destination. https://www.syslog-ng.com/community/b/blog/posts/compressing-http-traffic-i… Why is a feature not available in the syslog-ng package? -------------------------------------------------------- You can read about many interesting syslog-ng features in my blogs. However, it can happen that when you want to try them at home, you fail because the feature is missing. How can you solve such problems? In this blog, I discuss some of the possible solutions from installing sub-packages through using unofficial repositories, to upgrading your OS. This blog focuses on RPM packages for openSUSE / SLES, Fedora / RHEL, and FreeBSD, because these are the packages I know – I am their maintainer. However, these problems and their solutions also apply to Debian / Ubuntu, and other Linux distributions. https://www.syslog-ng.com/community/b/blog/posts/why-is-a-feature-not-avail… Sending logs to OpenObserve using syslog-ng ------------------------------------------- A question was asked if syslog-ng can send logs to OpenObserve. It has an Elasticsearch compatible API for log ingestion, but syslog-ng is not mentioned in the documentation. My plan was to document how to modify the syslog-ng elasticsearch-http() destination, based on API documentation. However, as it turned out, OpenObserve has a ready to use syslog-ng configuration example in the web UI. https://www.syslog-ng.com/community/b/blog/posts/sending-logs-to-openobserv… Removing duplicate messages with syslog-ng in a redundant logging environment ----------------------------- Creating highly available servers is difficult. Sending logs to two (or more) servers and hoping that at least one of them can collect logs any time is a lot easier. Since network traffic and storage are cheap, redundancy is usually not a problem. However, once you also want to analyze your log messages using a SIEM or other software, you do not want duplicate log messages. In this blog, I show you how you can make sure that each log message produced on your network reaches your SIEM system only once. Sending logs to a SIEM is expensive: both resource usage and licensing costs are much higher than at the log management level. https://www.syslog-ng.com/community/b/blog/posts/removing-duplicate-message… WEBINARS * You can browse recordings of past webinars at https://www.syslog-ng.com/events/ Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/ Peter Czanik (CzP) <peter.czanik(a)oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik

1 0