RE: [syslog-ng] Tool to determine facility and severity from
That's an interesting idea. I mess around with Perl when the need arrises but only on a very small scale; I'm not a programmer. I may try this some time. The whole proxy idea is a bit of an offshoot of my original problem (and the ultimate cause of the problem being a vendor that won't let you define the facility). I can see the problems of placing a proxy in between the loghost and sender. I figured syslog-ng could probably be bound to an oddball port so that the proxy could then listn on 514 and forward the rewritten messages to the oddball. This is terribly crucial though. I would be handy to mess with until I can convince these vendors to join the rest of the technological world and add this basic feature. I do need to be able to recognize the incoming messages somehow though so that I can stick them appropriate log file, store info level data in one log that is rotated weekly and kept for a year, and then store debug info in another log file that is rotated weekly and kept for only a single week. Otherwise drive space will become a major issue. For example, I have 1 firewall that is sending me 4.5GB of data each day. Without this basic log sorting and rotation setup I'd run out of drive space within a few days. I'll probably looking into matching each host by the source IP. That might be easiest in the long-term for these oddball hosts. I haven't set up syslog-ng so this could be an interesting experience. Thanks for the info Justin -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Alexander Clouter Sent: Tuesday, December 05, 2006 3:48 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Tool to determine facility and severity from Hi, Heiko Blume <Heiko@Blume.AG> [20061205 10:32:19 +0100]:
probably with the sniffer from ethereal.com
I would be more inclinded to use a Perl module: http://search.cpan.org/~sparsons/Net-Dev-Syslog-0.8.0/Syslog.pm It will create a mini-syslog server, decode the packets for you and then it would be trivial, if you know perl, to re-inject them with the same module or a different one: http://search.cpan.org/~saper/Sys-Syslog-0.18/Syslog.pm If you do not know perl you probably will find this is a nice mini-project to introduce you to the language. Its damn handy to be able to throw together a quick hack script to do jobs like this; means you no longer have to rely on the hope that someone else has done this already otherwise you would be out of options. The problem you are going to run into is that you have to have effectively a syslog proxy on another machine, or a second IP bound to your syslog core server. You cannot have this 'rewriter' and syslog-ng on the same box as both will be trying to listen on the same port; well you could pick different IP's for them to bind to though. By the sounds of it you really want to create a syslog-ng filter that has a list of IP's and hardcode in the facility and extract the severity there. To be honest if the facility is fixed then really there is no information you can extract that you could not determine "well it came from this IP therefore it has the *fixed* facility xyz". As for severity, its probably worth just grepping for keywords in the message for what you are looking for anyway. Thats where programs like swatch can help. Of course I might have missed completely what you are trying to accomplish, if so give a few more details and I'll try to help. Cheers Alex
regards, hb
Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line.
Along the same lines it would be sweet if there was a way to rewrite
the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this.
Any info would be greatly appreciated. Thanks
Justin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Heiko@Blume.AG
Cisco Certified Network Professional Cisco Certified Design Professional Juniper Certified Internet Specialist SUN Certified System Administrator
Office: +49.30/4426309 FAX: +49.30/48494354 Mobile: +49.178/6662342 www: http://www.blume.ag/IT/ PHY: Knaackstrasse 6, 10405 Berlin, DE
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (1)
-
Justin Shore