Hi,

It seems that by default, osquery logs JSON messages into a file. ( https://osquery.readthedocs.io/en/latest/deployment/logging/ )

You can use this file in a syslog-ng source, and parse the JSON messages with the json parser (note that you need a recent syslog-ng OSE for this), see https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/json-parser.html .

The above Osquery page mentions that it can send log messages directly to syslog (instead of a file), but I haven't found how you can actually configure it.

Regards,

Robert

On Fri, Apr 14, 2017 at 9:46 PM, Dwijadas Dey <dwijad@gmail.com> wrote:

Hi
List users
Is it possible to send OSQUERY logs to syslog-ng 3.5 In the OSQUERY docs rsyslog is configured to write logs to syslog. Does the same method applies to syslog-ng 3.5 ?

Thanks and regards

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq