Hi, What do you try to achieve? Sending syslog messages to OSquery or collecting OSquery logs by syslog-ng? /me now has a test environment installed Bye, Peter Czanik (CzP) <peter.czanik@balabit.com> Balabit / syslog-ng upstream https://www.balabit.com/blog/author/peterczanik/ https://twitter.com/PCzanik On Mon, Apr 17, 2017 at 4:32 PM, Dwijadas Dey <dwijad@gmail.com> wrote:
Hi Robert You are right, i am trying the same with a named pipe so that OSQUERY consume syslogs as pointed by Evan. There are plenty of documents showing the same with rsyslog but not with syslog-ng.
This is what my syslog configuration for osquery:-
/etc/syslog-ng/conf.d/osquery.conf
source s_osquery { # system(); pipe("/var/osquery/syslog_pipe"); # unix-stream("/dev/log"); }; #filter osqueryd { # program("^osqueryd.*"); #}; destination d_osquery { file("/var/log/osquery/osqueryd.results.log" template("$(format-json --scope selected_macros --scope nv_pairs)\n")); }; log { source(s_osquery); # filter(osqueryd); destination(d_osquery); };
But this does not produce any logs for OSQUERY. I have checked , the name piped has been created.
# ls -l /var/osquery/syslog_pipe pr--rw---- 1 root adm 0 Apr 14 15:41 /var/osquery/syslog_pipe
But when i try to check what logs are passing through the pipe using following command, no message shows up. # cat /var/osquery/syslog_pipe
I have correct options set in OSQUERY configuration file in /etc/osquery/osquery.conf.
.................. .................. "logger_plugin": "syslog", "enable_syslog": "true", "syslog_pipe_path": "/var/osquery/syslog_pipe", .................. .................. I think Evan can point me the right configuration for syslog-ng ( version 3.5.6 in ubuntu 16 )
Regards
On Mon, Apr 17, 2017 at 6:24 PM, Fekete, Róbert <robert.fekete@balabit.com
wrote:
Hi,
It seems that by default, osquery logs JSON messages into a file. ( https://osquery.readthedocs.io/en/latest/deployment/logging/ ) You can use this file in a syslog-ng source, and parse the JSON messages with the json parser (note that you need a recent syslog-ng OSE for this), see https://www.balabit.com/documents/syslog-ng-ose-latest- guides/en/syslog-ng-ose-guide-admin/html/json-parser.html .
The above Osquery page mentions that it can send log messages directly to syslog (instead of a file), but I haven't found how you can actually configure it.
Regards,
Robert
On Fri, Apr 14, 2017 at 9:46 PM, Dwijadas Dey <dwijad@gmail.com> wrote:
Hi List users Is it possible to send OSQUERY logs to syslog-ng 3.5 In the OSQUERY docs <https://osquery.readthedocs.io/en/latest/deployment/syslog/> rsyslog is configured to write logs to syslog. Does the same method applies to syslog-ng 3.5 ?
Thanks and regards
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq