Syslog-ng Questions

newer
Listening on Multiple UDP Source...

Miah Lang

22 Feb 2017 22 Feb '17

1:45 p.m.

Is it possible to configure multiple sources, one with flags(no-parse) and one without?

e.g.

source s_syslog-ports { udp(port(514)); tcp(port(1514) max-connections(100)); tcp(port(514) max-connections(100)); };

source s_syslog_np-ports { udp(port(514) flags(no-parse)); tcp(port(1514) max-connections(100) flags(no-parse)); tcp(port(514) max-connections(100) flags(no-parse)); };

filter f_Cisco-router { in-list("/etc/syslog-ng/filter/Cisco-router.txt", value("SOURCEIP")); }; destination d_Cisco-router {file("/var/log/IT/network/router/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log" template(t_message-only));}; log {source(s_syslog-ports); filter(f_Cisco-router); destination(d_Cisco-router);};

filter f_Cisco-switch { in-list("/etc/syslog-ng/filter/Cisco-switch.txt", value("SOURCEIP")); }; destination d_Cisco-switch {file("/var/log/IT/network/switch/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log" template(t_message-only));}; log {source(s_syslog_np-ports); filter(f_Cisco-switch); destination(d_Cisco-switch);};

Whenever I do this, I get an error message when restarting the service. “Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.” “Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”

Attachments:

attachment.html (text/html — 4.0 KB)

Show replies by date

Fekete, Róbert

22 Feb 22 Feb

2:03 p.m.

Hi, To achieve something like that, you have to use junctions. You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse. For details, see the 8.3 example at https://www.balabit.com/ documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ junctions.html and https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... HTH, Robert On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG < syslog-ng@balabit.com> wrote:

...

Is it possible to configure multiple sources, one with flags(no-parse) and one without?

e.g.

source *s_syslog-ports* {

udp(port(514));

tcp(port(1514) max-connections(100));

tcp(port(514) max-connections(100));

};

source *s_syslog_np-ports *{

udp(port(514) flags(no-parse));

tcp(port(1514) max-connections(100) flags(no-parse));

tcp(port(514) max-connections(100) flags(no-parse));

};

filter f_Cisco-router { in-list("/etc/syslog-ng/filter/Cisco-router.txt", value("SOURCEIP")); };

destination d_Cisco-router {file("/var/log/IT/network/ router/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log" template(t_message-only));};

log {source(*s_syslog-ports*); filter(f_Cisco-router); destination(d_Cisco-router);};

filter f_Cisco-switch { in-list("/etc/syslog-ng/filter/Cisco-switch.txt", value("SOURCEIP")); };

destination d_Cisco-switch {file("/var/log/IT/network/ switch/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log" template(t_message-only));};

log {source(*s_syslog_np-ports*); filter(f_Cisco-switch); destination(d_Cisco-switch);};

Whenever I do this, I get an error message when restarting the service.

“Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.”

“Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

hurling69＠yahoo.com

4:21 p.m.

Thanks for the information. I have another issue that has come up relating to the PROGRAM macro. When I configure itlike this, the PROGRAM macro works properly and gets the proper tag from theclient:source s_syslog-ports { # Configurethe network() driver for receiving RFC3164 logs network(transport("udp") ip(10.25.10.52) port(514)); network(transport("tcp") ip(10.25.10.52) port(514)max-connections(100)); network(transport("tcp") ip(10.25.10.52) port(1514)max-connections(100));}; filter f_Linux-centos {in-list("/etc/syslog-ng/filter/Linux-centos.txt",value("SOURCEIP")); };destination d_Linux-centos{file("/var/log/IT/server/Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log"template(t_message-only));};log {source(s_syslog-ports); filter(f_Linux-centos);destination(d_Linux-centos);}; Then, when I changethe configuration to this, the PROGRAM macro no longer gets the same proper tagvalue from the client:source s_syslog-ports { # Configurethe network() driver for receiving RFC3164 logs network(transport("udp") ip(10.25.10.52) port(514)); network(transport("tcp") ip(10.25.10.52) port(514)max-connections(100)); network(transport("tcp") ip(10.25.10.52) port(1514)max-connections(100) flags(no-parse));}; filter f_Linux-centos {in-list("/etc/syslog-ng/filter/Linux-centos.txt",value("SOURCEIP")); };destination d_Linux-centos{file("/var/log/IT/server/Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log"template(t_message-only));};log {source(s_syslog-ports); junction { channel { filter(f_Linux-centos); parser { syslog-parser(); }; flags(final); }; };destination(d_Linux-centos);}; Is there a way to configure the no-parse and junction option while still getting the correct PROGRAM macro data? Thanks. On Wednesday, February 22, 2017 8:04 AM, "Fekete, Róbert" <robert.fekete@balabit.com> wrote: Hi, To achieve something like that, you have to use junctions. You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse. For details, see the 8.3 example at https://www.balabit.com/ documents/syslog-ng-ose- latest-guides/en/syslog-ng- ose-guide-admin/html/ junctions.html and https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... HTH, Robert On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <syslog-ng@balabit.com> wrote: Is it possible to configure multiple sources, one with flags(no-parse) and one without? e.g. source s_syslog-ports { udp(port(514)); tcp(port(1514) max-connections(100)); tcp(port(514) max-connections(100));}; source s_syslog_np-ports { udp(port(514) flags(no-parse)); tcp(port(1514) max-connections(100) flags(no-parse)); tcp(port(514) max-connections(100) flags(no-parse));}; filter f_Cisco-router { in-list("/etc/syslog-ng/ filter/Cisco-router.txt", value("SOURCEIP")); };destination d_Cisco-router {file("/var/log/IT/network/ router/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};log {source(s_syslog-ports); filter(f_Cisco-router); destination(d_Cisco-router);}; filter f_Cisco-switch { in-list("/etc/syslog-ng/ filter/Cisco-switch.txt", value("SOURCEIP")); };destination d_Cisco-switch {file("/var/log/IT/network/ switch/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));};log {source(s_syslog_np-ports); filter(f_Cisco-switch); destination(d_Cisco-switch);}; Whenever I do this, I get an error message when restarting the service.“Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.”“Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.” ______________________________ ______________________________ __________________ Member info: https://lists.balabit.hu/ mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/ support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/ syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Scheidler, Balázs

6:51 p.m.

The syslog-parser() should set the program field based in the input, and your configuration seems correct at a first glance. Can you perhaps set debug mode (-d from command line) and copy paste the output genetated by a debug message? Also pls supply your syslog-ng version. Thanks On Feb 22, 2017 17:24, <hurling69@yahoo.com> wrote:

...

Thanks for the information. I have another issue that has come up relating to the PROGRAM macro.

*When I configure it like this, the PROGRAM macro works properly and gets the proper tag from the client:* ------------------------------ source s_syslog-ports { # Configure the network() driver for receiving RFC3164 logs network(transport("udp") ip(10.25.10.52) port(514)); network(transport("tcp") ip(10.25.10.52) port(514) max-connections(100)); network(transport("tcp") ip(10.25.10.52) port(1514) max-connections(100)); };

filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt", value("SOURCEIP")); }; destination d_Linux-centos {file("/var/log/IT/server/ Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log" template(t_message-only));}; log {source(s_syslog-ports); filter(f_Linux-centos); destination(d_Linux-centos);};

*Then, when I change the configuration to this, the PROGRAM macro no longer gets the same proper tag value from the client:* ------------------------------ source s_syslog-ports { # Configure the network() driver for receiving RFC3164 logs network(transport("udp") ip(10.25.10.52) port(514)); network(transport("tcp") ip(10.25.10.52) port(514) max-connections(100)); network(transport("tcp") ip(10.25.10.52) port(1514) max-connections(100) *flags(no-parse)*); };

filter f_Linux-centos { in-list("/etc/syslog-ng/filter/Linux-centos.txt", value("SOURCEIP")); }; destination d_Linux-centos {file("/var/log/IT/server/ Linux/CentOS/${SOURCEIP}/${SOURCEIP}[${PROGRAM}]-${YEAR}${MONTH}${DAY}.log" template(t_message-only));}; log {source(s_syslog-ports); *junction { channel {* filter(f_Linux-centos); *parser { syslog-parser(); }; flags(final); }; };* destination(d_Linux-centos);};

Is there a way to configure the no-parse and junction option while still getting the correct PROGRAM macro data?

Thanks.

On Wednesday, February 22, 2017 8:04 AM, "Fekete, Róbert" < robert.fekete@balabit.com> wrote:

Hi,

To achieve something like that, you have to use junctions. You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse.

For details, see the 8.3 example at https://www.balabit.com/ documents/syslog-ng-ose- latest-guides/en/syslog-ng- ose-guide-admin/html/ junctions.html and https://www.balabit.com/documents/ syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/ html/parser-syslog.html

HTH,

Robert

On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG < syslog-ng@balabit.com> wrote:

Is it possible to configure multiple sources, one with flags(no-parse) and one without?

e.g.

source *s_syslog-ports* { udp(port(514)); tcp(port(1514) max-connections(100)); tcp(port(514) max-connections(100)); };

source *s_syslog_np-ports *{ udp(port(514) flags(no-parse)); tcp(port(1514) max-connections(100) flags(no-parse)); tcp(port(514) max-connections(100) flags(no-parse)); };

filter f_Cisco-router { in-list("/etc/syslog-ng/ filter/Cisco-router.txt", value("SOURCEIP")); }; destination d_Cisco-router {file("/var/log/IT/network/ router/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));}; log {source(*s_syslog-ports*); filter(f_Cisco-router); destination(d_Cisco-router);};

filter f_Cisco-switch { in-list("/etc/syslog-ng/ filter/Cisco-switch.txt", value("SOURCEIP")); }; destination d_Cisco-switch {file("/var/log/IT/network/ switch/cisco/${SOURCEIP}/${ SOURCEIP}-${YEAR}${MONTH}${ DAY}.log" template(t_message-only));}; log {source(*s_syslog_np-ports*); filter(f_Cisco-switch); destination(d_Cisco-switch);};

Whenever I do this, I get an error message when restarting the service. “Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.” “Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”

______________________________ ______________________________ __________________ Member info: https://lists.balabit.hu/ mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/ support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/ syslog-ng-faq

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

3125

Age (days ago)

3125

Last active (days ago)

List overview

Download

3 comments

4 participants

participants (4)

Fekete, Róbert
hurling69＠yahoo.com
Miah Lang
Scheidler, Balázs