You are right, i am trying the same with a named pipe so that OSQUERY consume syslogs as pointed by Evan. There are plenty of documents showing the same with rsyslog but not with syslog-ng.
This is what my syslog configuration for osquery:-
/etc/syslog-ng/conf.d/osquery.conf
source s_osquery {
# system();
pipe("/var/osquery/syslog_pipe");
# unix-stream("/dev/log");
};
#filter osqueryd {
# program("^osqueryd.*");
#};
destination d_osquery {
file("/var/log/osquery/osqueryd.results.log" template("$(format-json --scope selected_macros --scope nv_pairs)\n"));
};
log {
source(s_osquery);
# filter(osqueryd);
destination(d_osquery);
};
But this does not produce any logs for OSQUERY. I have checked , the name piped has been created.
# ls -l /var/osquery/syslog_pipe
pr--rw---- 1 root adm 0 Apr 14 15:41 /var/osquery/syslog_pipe
But when i try to check what logs are passing through the pipe using following command, no message shows up.
# cat /var/osquery/syslog_pipe
I have correct options set in OSQUERY configuration file in /etc/osquery/osquery.conf.
..................
..................
"logger_plugin": "syslog",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
..................
..................
I think Evan can point me the right configuration for syslog-ng ( version 3.5.6 in ubuntu 16 )