Hi, After being less than impressed with the stability of rsyslog, I just discovered syslog-ng and it looks really impressive but a bit overwhelming! I have a simple configuration with my existing rsyslog set up where it's performing normal system syslog responsibilities but also tagging other log files and then forwarding them to a centralized log server. The examples I've seen for syslog-ng are making my head swim so I was hoping someone would be able to point me in the right direction on how to do the same with syslog-ng. Thank you
Miguel Alvarez <miguellvrz9@gmail.com> writes:
After being less than impressed with the stability of rsyslog, I just discovered syslog-ng and it looks really impressive but a bit overwhelming!
I have a simple configuration with my existing rsyslog set up where it's performing normal system syslog responsibilities but also tagging other log files and then forwarding them to a centralized log server. The examples I've seen for syslog-ng are making my head swim so I was hoping someone would be able to point me in the right direction on how to do the same with syslog-ng.
I don't quite understand the "tagging other log files" part, I'm afraid (but my rsyslog knowledge is... *ahem* lacking). Could you perhaps share the rsyslog config with us? We could then see about how to convert it to a similar syslog-ng.conf. (By the way, an rsyslog.conf->syslog-ng.conf converter has been requested before, and one of these days, I might get around to write it, especially if there's bigger interest in such a tool.) -- |8]
On Thu, Nov 3, 2011 at 9:27 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Miguel Alvarez <miguellvrz9@gmail.com> writes:
After being less than impressed with the stability of rsyslog, I just discovered syslog-ng and it looks really impressive but a bit overwhelming!
I have a simple configuration with my existing rsyslog set up where it's performing normal system syslog responsibilities but also tagging other log files and then forwarding them to a centralized log server. The examples I've seen for syslog-ng are making my head swim so I was hoping someone would be able to point me in the right direction on how to do the same with syslog-ng.
I don't quite understand the "tagging other log files" part, I'm afraid (but my rsyslog knowledge is... *ahem* lacking). Could you perhaps share the rsyslog config with us?
We could then see about how to convert it to a similar syslog-ng.conf.
(By the way, an rsyslog.conf->syslog-ng.conf converter has been requested before, and one of these days, I might get around to write it, especially if there's bigger interest in such a tool.)
Thank you for the quick reply, Gergely! Sorry, I should have elaborated on the tagging other files part. I have a system that runs snort as well as bro. Snort writes its alert file to /var/log/snort/alert . Bro writes to a few files such as /var/log/bro/conn.log and /var/log/bro/http.log . Right now, I have rsyslog tagging each with a description of the given alert file so they can be filtered on the remote log server side. "[SNORT]" for snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log respectively. Here are the rsyslog configuration sections for those three logs: $InputFileName /var/log/snort/alert $InputFileTag [SNORT] $InputFileStateFile snortalertstate $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity info $InputRunFileMonitor $InputFileName /var/log/bro/conn.log $InputFileTag [BRO-CONN] $InputFileStateFile bro-conn $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity local $inputRunFileMonitor $InputFileName /var/log/bro/http.log $InputFileTag [BRO-HTTP] $InputFileStateFile bro-http $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity info $InputRunFileMonitor I've attached the entire rsyslog.conf to this email but the "$InputFileStateFile" file is like barnyard's waldo file where it keeps track of where it is in the logs so it doesn't resend the already sent log messages. I think a rsyslog.conf > syslog-ng.conf tool would be hugely helpful! Especially since some linux distros like ubuntu I think are shipping with rsyslog as the default log server now and if the only real barrier to migrating to syslog-ng is eased to the point where it's a non-issue, you'd likely have a lot more adoptees! Just my $0.02 anyway :-) Thank you again for the help!
Miguel Alvarez <miguellvrz9@gmail.com> writes:
Sorry, I should have elaborated on the tagging other files part.
I have a system that runs snort as well as bro. Snort writes its alert file to /var/log/snort/alert . Bro writes to a few files such as /var/log/bro/conn.log and /var/log/bro/http.log . Right now, I have rsyslog tagging each with a description of the given alert file so they can be filtered on the remote log server side. "[SNORT]" for snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log respectively. Here are the rsyslog configuration sections for those three logs:
Aha! Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) ### # File sources # ------------ # # These set up sources, and tag them appropriately. We'll use the tags # later in the rewrite rules. ### source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; source s_bro_conn { file("/var/log/bro/conn.log"); tag("bro-conn"); }; source s_bro_http { file("/var/log/bro/http.log"); tag("bro-http"); }; ### # Templates # --------- # # Templates are used similarly as in rsyslog (except our templates are # awesome, and theirs isn't. Sadly, this example is too simple to show # the power of syslog-ng templates. Oh well..). # # Anyway, in this case, the template will be similar to a normal # BSD legacy syslog format, with ${MSG_TAG} inserted between the # MSGHEADER and the message itself. If MSG_TAG is unset, nothing will be # inserted, and we'll get a standard format. ### template t_tagged { template("${ISODATE} ${HOST} ${MSGHDR}${MSG_TAG}${MSG}"); }; ### # Destinations # ------------ # # Ye olde TCP destination. You can replace tcp with upd, if so you # wish. It forwards everything that reaches the destination to the # specified host, on the given port, using the template we made above. ### destination d_remote_tagged { tcp("192.168.1.1" port(1200) template(t_tagged)); }; ### # Rewrite # ------- # # Rewrite rules! If we encounter a tag we care about, we set MSG_TAG # appropriately. That is all. If a message does not have the sought tag, # the rewrite does nothing. ### rewrite r_snort_tag { rewrite(set("MSG_TAG", value("[SNORT] ") condition(tag("snort")))); }; rewrite r_bro_conn_tag { rewrite(set("MSG_TAG", value("[BRO-CONN] ") condition(tag("bro-conn")))); }; rewrite r_bro_http_tag { rewrite(set("MSG_TAG", value("[BRO-HTTP] ") condition(tag("bro-http")))); }; ### # Logpath # ------- # # Logpaths define how sources, filters, rewrite rules and destinations # are connected. # # In this case, this logpath will read from all three file sources # defined above, pass them through all three rewrite rules (remember: # those only do the rewrite if the appropriate tag matches), and # finally, send it over to the remote host. # # We also set a "final" flag, which means that if a message was caught # by this rule (ie, it came from any of the three files), it will not be # processed further by any other logpath. ### log { source(s_snort_alert); source(s_bro_conn); source(s_bro_http); rewrite (r_snort_tag); rewrite (r_bro_conn_tag); rewrite (r_bro_http_tag); destination (d_remote_tagged); flags(final); }; And this is all you need to process the files. The rest of your rsyslog.conf is easier to translate to syslog-ng.conf style, and hence, I'm not going to describe it here. I'd suggest quickly skimming through the docs[1], and it should be reasonably straightforward. [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... The contrib/syslog2ng script in the syslog-ng sources should help with the translation too, as rsyslog.conf has parts that are compatible with old syslog.conf (and the rest of your config pretty much consist of such parts ;). Hope this helps! -- |8]
On Thu, Nov 3, 2011 at 10:36 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Miguel Alvarez <miguellvrz9@gmail.com> writes:
Sorry, I should have elaborated on the tagging other files part.
I have a system that runs snort as well as bro. Snort writes its alert file to /var/log/snort/alert . Bro writes to a few files such as /var/log/bro/conn.log and /var/log/bro/http.log . Right now, I have rsyslog tagging each with a description of the given alert file so they can be filtered on the remote log server side. "[SNORT]" for snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log respectively. Here are the rsyslog configuration sections for those three logs:
Aha!
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!)
### # File sources # ------------ # # These set up sources, and tag them appropriately. We'll use the tags # later in the rewrite rules. ###
source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); };
source s_bro_conn { file("/var/log/bro/conn.log"); tag("bro-conn"); };
source s_bro_http { file("/var/log/bro/http.log"); tag("bro-http"); };
### # Templates # --------- # # Templates are used similarly as in rsyslog (except our templates are # awesome, and theirs isn't. Sadly, this example is too simple to show # the power of syslog-ng templates. Oh well..). # # Anyway, in this case, the template will be similar to a normal # BSD legacy syslog format, with ${MSG_TAG} inserted between the # MSGHEADER and the message itself. If MSG_TAG is unset, nothing will be # inserted, and we'll get a standard format. ### template t_tagged { template("${ISODATE} ${HOST} ${MSGHDR}${MSG_TAG}${MSG}"); };
### # Destinations # ------------ # # Ye olde TCP destination. You can replace tcp with upd, if so you # wish. It forwards everything that reaches the destination to the # specified host, on the given port, using the template we made above. ### destination d_remote_tagged { tcp("192.168.1.1" port(1200) template(t_tagged)); };
### # Rewrite # ------- # # Rewrite rules! If we encounter a tag we care about, we set MSG_TAG # appropriately. That is all. If a message does not have the sought tag, # the rewrite does nothing. ### rewrite r_snort_tag { rewrite(set("MSG_TAG", value("[SNORT] ") condition(tag("snort")))); };
rewrite r_bro_conn_tag { rewrite(set("MSG_TAG", value("[BRO-CONN] ") condition(tag("bro-conn")))); };
rewrite r_bro_http_tag { rewrite(set("MSG_TAG", value("[BRO-HTTP] ") condition(tag("bro-http")))); };
### # Logpath # ------- # # Logpaths define how sources, filters, rewrite rules and destinations # are connected. # # In this case, this logpath will read from all three file sources # defined above, pass them through all three rewrite rules (remember: # those only do the rewrite if the appropriate tag matches), and # finally, send it over to the remote host. # # We also set a "final" flag, which means that if a message was caught # by this rule (ie, it came from any of the three files), it will not be # processed further by any other logpath. ###
log { source(s_snort_alert); source(s_bro_conn); source(s_bro_http);
rewrite (r_snort_tag); rewrite (r_bro_conn_tag); rewrite (r_bro_http_tag);
destination (d_remote_tagged);
flags(final); };
And this is all you need to process the files.
The rest of your rsyslog.conf is easier to translate to syslog-ng.conf style, and hence, I'm not going to describe it here. I'd suggest quickly skimming through the docs[1], and it should be reasonably straightforward.
[1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
The contrib/syslog2ng script in the syslog-ng sources should help with the translation too, as rsyslog.conf has parts that are compatible with old syslog.conf (and the rest of your config pretty much consist of such parts ;).
Hope this helps!
Wow, thank you so much! That actually looks pretty straight forward. I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config? # /etc/init.d/syslog-ng start Starting syslog-ng: Error parsing source, source plugin tag not found in /etc/syslog-ng/syslog-ng.conf at line 62, column 1: tag("snort"); ^^^ I ran syslog-ng --version to see what modules were available and I don't see anything with "tag" in it. Do I need to pass something at startup with the "--default-modules" flag? # syslog-ng --version syslog-ng 3.3.1 Installer-Version: 3.3.1 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#3a736e62b27f7036ab23b91cf0839a95d0185e18 Compile-Date: Nov 3 2011 19:24:14 Default-Modules: affile,afprog,afsocket,afuser,basicfuncs,csvparser,dbparser,syslogformat Available-Modules: convertfuncs,afmongodb,affile,dummy,confgen,basicfuncs,csvparser,afsocket-tls,afuser,afsocket,dbparser,afprog,syslogformat Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off Enable-Pcre: on Thank you!
On 2011-11-03, Miguel Alvarez wrote:
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) [...] source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; [...] [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
Wow, thank you so much! That actually looks pretty straight forward.
I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config?
It's a typo in Gergely's example. It's "tags", not "tag" :) See the docs[2] [2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... HTH -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
On 11/03/2011 10:33 PM, Jakub Jankowski wrote:
On 2011-11-03, Miguel Alvarez wrote:
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) [...] source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; [...] [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
Wow, thank you so much! That actually looks pretty straight forward.
I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config?
It's a typo in Gergely's example. It's "tags", not "tag" :) See the docs[2]
[2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... Also, tags() have to be within the file() declaration, so the above should rather look like
source s_snort_alert { file("/var/log/snort/alert" tags("snort")); }; Balint
On Thu, Nov 3, 2011 at 4:03 PM, Balint Kovacs <balint.kovacs@balabit.com> wrote:
On 11/03/2011 10:33 PM, Jakub Jankowski wrote:
On 2011-11-03, Miguel Alvarez wrote:
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) [...] source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; [...] [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
Wow, thank you so much! That actually looks pretty straight forward.
I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config?
It's a typo in Gergely's example. It's "tags", not "tag" :) See the docs[2]
[2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... Also, tags() have to be within the file() declaration, so the above should rather look like
source s_snort_alert { file("/var/log/snort/alert" tags("snort")); };
Thank you, Balint. I fixed the "tag" > "tags" as well as the "rewrite" sections. Everything starts successfully and lsof shows the defined files are being opened but no logs are being forwarded. I'm running tcpdump on the server side and see the three-way handshake and there's even a message in /var/log/messages saying that the connection was accepted: 22:39:03.520177 IP (tos 0x0, ttl 61, id 29965, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.2.46244 > 192.168.1.1.1200: S, cksum 0x9589 (correct), 2051237327:2051237327(0) win 5840 <mss 1460,sackOK,timestamp 1304367298 0,nop,wscale 10> 22:39:03.520201 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.1.1200 > 192.168.1.2.46244: S, cksum 0x07c4 (correct), 2951440826:2951440826(0) ack 2051237328 win 5792 <mss 1460,sackOK,timestamp 4114972411 1304367298,nop,wscale 7> 22:39:03.522092 IP (tos 0x0, ttl 61, id 29966, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.2.46244 > 192.168.1.1.1200: ., cksum 0x4d29 (correct), 1:1(0) ack 1 win 6 <nop,nop,timestamp 1304367299 4114972411> Nov 3 22:39:03 logserver syslog-ng[24827]: Syslog connection accepted; fd='44', client='AF_INET(192.168.1.2:46244)', local='AF_INET(192.168.1.1:1200)' Anyone have any suggestions on what I can try? And for the record, here's the updated config: ### # File sources # ------------ # # These set up sources, and tag them appropriately. We'll use the tags # later in the rewrite rules. ### source s_snort_alert { file("/var/log/snort/alert" tags("snort")); }; source s_bro_conn { file("/var/log/bro/conn.log" tags("bro-conn")); }; source s_bro_http { file("/var/log/bro/http.log" tags("bro-http")); }; ### # Templates # --------- # # Templates are used similarly as in rsyslog (except our templates are # awesome, and theirs isn't. Sadly, this example is too simple to show # the power of syslog-ng templates. Oh well..). # # Anyway, in this case, the template will be similar to a normal # BSD legacy syslog format, with ${MSG_TAG} inserted between the # MSGHEADER and the message itself. If MSG_TAG is unset, nothing will be # inserted, and we'll get a standard format. ### template t_tagged { template("${ISODATE} ${HOST} ${MSGHDR}${MSG_TAG}${MSG}"); }; ### # Destinations # ------------ # # Ye olde TCP destination. You can replace tcp with upd, if so you # wish. It forwards everything that reaches the destination to the # specified host, on the given port, using the template we made above. ### destination d_remote_tagged { tcp("192.168.1.1" port(1200) template(t_tagged)); }; ### # Rewrite # ------- # # Rewrite rules! If we encounter a tag we care about, we set MSG_TAG # appropriately. That is all. If a message does not have the sought tag, # the rewrite does nothing. ### rewrite r_snort_tag { set("MSG_TAG", value("[SNORT] ") condition(tags("snort"))); }; rewrite r_bro_conn_tag { set("MSG_TAG", value("[BRO-CONN] ") condition(tags("bro-conn"))); }; rewrite r_bro_http_tag { set("MSG_TAG", value("[BRO-HTTP] ") condition(tags("bro-http"))); }; ### # Logpath # ------- # # Logpaths define how sources, filters, rewrite rules and destinations # are connected. # # In this case, this logpath will read from all three file sources # defined above, pass them through all three rewrite rules (remember: # those only do the rewrite if the appropriate tag matches), and # finally, send it over to the remote host. # # We also set a "final" flag, which means that if a message was caught # by this rule (ie, it came from any of the three files), it will not be # processed further by any other logpath. ### log { source(s_snort_alert); source(s_bro_alarm); source(s_bro_conn); source(s_bro_http); source(s_bro_notice); rewrite (r_snort_tag); rewrite (r_bro_conn_tag); rewrite (r_bro_http_tag); destination (d_remote_tagged); flags(final); };
Just wondering if anyone might have any idea as to why logs aren't being forwarded. I'm thinking maybe it has something to do with the tagging configurations as I can definitely see the source log growing (e.g. /var/log/snort/alert) and that when syslog-ng is started, it successfully connects with the server side. To me, it would seem then that the problem lies somewhere in between. The whole config is below but here's a relevant snippet: source s_snort_alert { file("/var/log/snort/alert" tags("snort")); }; rewrite r_snort_tag { set("MSG_TAG", value("[SNORT] ") condition(tags("snort"))); }; source(s_snort_alert); rewrite (r_snort_tag); Thank you On Thu, Nov 3, 2011 at 5:24 PM, Miguel Alvarez <miguellvrz9@gmail.com> wrote:
On Thu, Nov 3, 2011 at 4:03 PM, Balint Kovacs <balint.kovacs@balabit.com> wrote:
On 11/03/2011 10:33 PM, Jakub Jankowski wrote:
On 2011-11-03, Miguel Alvarez wrote:
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) [...] source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; [...] [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
Wow, thank you so much! That actually looks pretty straight forward.
I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config?
It's a typo in Gergely's example. It's "tags", not "tag" :) See the docs[2]
[2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... Also, tags() have to be within the file() declaration, so the above should rather look like
source s_snort_alert { file("/var/log/snort/alert" tags("snort")); };
Thank you, Balint. I fixed the "tag" > "tags" as well as the "rewrite" sections. Everything starts successfully and lsof shows the defined files are being opened but no logs are being forwarded. I'm running tcpdump on the server side and see the three-way handshake and there's even a message in /var/log/messages saying that the connection was accepted:
22:39:03.520177 IP (tos 0x0, ttl 61, id 29965, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.2.46244 > 192.168.1.1.1200: S, cksum 0x9589 (correct), 2051237327:2051237327(0) win 5840 <mss 1460,sackOK,timestamp 1304367298 0,nop,wscale 10> 22:39:03.520201 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.1.1200 > 192.168.1.2.46244: S, cksum 0x07c4 (correct), 2951440826:2951440826(0) ack 2051237328 win 5792 <mss 1460,sackOK,timestamp 4114972411 1304367298,nop,wscale 7> 22:39:03.522092 IP (tos 0x0, ttl 61, id 29966, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.2.46244 > 192.168.1.1.1200: ., cksum 0x4d29 (correct), 1:1(0) ack 1 win 6 <nop,nop,timestamp 1304367299 4114972411>
Nov 3 22:39:03 logserver syslog-ng[24827]: Syslog connection accepted; fd='44', client='AF_INET(192.168.1.2:46244)', local='AF_INET(192.168.1.1:1200)'
Anyone have any suggestions on what I can try?
And for the record, here's the updated config:
### # File sources # ------------ # # These set up sources, and tag them appropriately. We'll use the tags # later in the rewrite rules. ###
source s_snort_alert { file("/var/log/snort/alert" tags("snort")); };
source s_bro_conn { file("/var/log/bro/conn.log" tags("bro-conn")); };
source s_bro_http { file("/var/log/bro/http.log" tags("bro-http")); };
### # Templates # --------- # # Templates are used similarly as in rsyslog (except our templates are # awesome, and theirs isn't. Sadly, this example is too simple to show # the power of syslog-ng templates. Oh well..). # # Anyway, in this case, the template will be similar to a normal # BSD legacy syslog format, with ${MSG_TAG} inserted between the # MSGHEADER and the message itself. If MSG_TAG is unset, nothing will be # inserted, and we'll get a standard format. ### template t_tagged { template("${ISODATE} ${HOST} ${MSGHDR}${MSG_TAG}${MSG}"); };
### # Destinations # ------------ # # Ye olde TCP destination. You can replace tcp with upd, if so you # wish. It forwards everything that reaches the destination to the # specified host, on the given port, using the template we made above. ### destination d_remote_tagged { tcp("192.168.1.1" port(1200) template(t_tagged)); };
### # Rewrite # ------- # # Rewrite rules! If we encounter a tag we care about, we set MSG_TAG # appropriately. That is all. If a message does not have the sought tag, # the rewrite does nothing. ### rewrite r_snort_tag { set("MSG_TAG", value("[SNORT] ") condition(tags("snort"))); };
rewrite r_bro_conn_tag { set("MSG_TAG", value("[BRO-CONN] ") condition(tags("bro-conn"))); };
rewrite r_bro_http_tag { set("MSG_TAG", value("[BRO-HTTP] ") condition(tags("bro-http"))); };
### # Logpath # ------- # # Logpaths define how sources, filters, rewrite rules and destinations # are connected. # # In this case, this logpath will read from all three file sources # defined above, pass them through all three rewrite rules (remember: # those only do the rewrite if the appropriate tag matches), and # finally, send it over to the remote host. # # We also set a "final" flag, which means that if a message was caught # by this rule (ie, it came from any of the three files), it will not be # processed further by any other logpath. ###
log { source(s_snort_alert); source(s_bro_alarm); source(s_bro_conn); source(s_bro_http); source(s_bro_notice);
rewrite (r_snort_tag); rewrite (r_bro_conn_tag); rewrite (r_bro_http_tag);
destination (d_remote_tagged);
flags(final); };
Miguel Alvarez <miguellvrz9@gmail.com> writes:
Just wondering if anyone might have any idea as to why logs aren't being forwarded.
If all goes well, I'll have a look in a couple of minutes. Apologies for the long response times, I had to trim down my TODO list a bit first. -- |8]
Gergely Nagy <algernon@balabit.hu> writes:
Miguel Alvarez <miguellvrz9@gmail.com> writes:
Just wondering if anyone might have any idea as to why logs aren't being forwarded.
If all goes well, I'll have a look in a couple of minutes. Apologies for the long response times, I had to trim down my TODO list a bit first.
Obviously, it didn't all go that well. This is still fairly high on my list, I haven't forgotten, but I'm swamped at the moment, so might take a little more time until I manage to find time to debug this issue. Sorry about that, I'll try to get back to you as soon as possible. -- |8]
On Thu, Nov 10, 2011 at 2:00 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Gergely Nagy <algernon@balabit.hu> writes:
Miguel Alvarez <miguellvrz9@gmail.com> writes:
Just wondering if anyone might have any idea as to why logs aren't being forwarded.
If all goes well, I'll have a look in a couple of minutes. Apologies for the long response times, I had to trim down my TODO list a bit first.
Obviously, it didn't all go that well. This is still fairly high on my list, I haven't forgotten, but I'm swamped at the moment, so might take a little more time until I manage to find time to debug this issue.
Sorry about that, I'll try to get back to you as soon as possible.
No problem. I just got it working and it turned out that the tagging wasn't working so $MSG_TAG in the rewrite was empty. So rather than doing it with tags, I just created multiple templates each with the desired tag embedded in the template string and then multiple destinations referencing the corresponding template. I'm sure it's probably not the most efficient way but it works! Thank you again for all of the assistance.
On 11/03/2011 04:13 PM, Miguel Alvarez wrote:
Hi,
After being less than impressed with the stability of rsyslog, I just discovered syslog-ng and it looks really impressive but a bit overwhelming!
I have a simple configuration with my existing rsyslog set up where it's performing normal system syslog responsibilities but also tagging other log files and then forwarding them to a centralized log server. The examples I've seen for syslog-ng are making my head swim so I was hoping someone would be able to point me in the right direction on how to do the same with syslog-ng.
Hi, if you mean that you want to send the contents of logfiles to a central server then you have to create file sources and add them to the log path that sends the messages to the logserver. Check http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide... and http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide... HTH. Regards, Robert
participants (5)
-
Balint Kovacs
-
Fekete Robert
-
Gergely Nagy
-
Jakub Jankowski
-
Miguel Alvarez