linux-audit-parser not found on stock install of Ubuntu 16.04
When using a freshly installed version of U16.04, I found that the linux audit log parser does not seem to be installed. For example: syslog-ng --module-registry|grep audit <-- returns nothing == 1. This started because I experienced a failure when trying to enable the linux audit parser: Error parsing parser expression, parser plugin linux-audit-parser not found in /etc/syslog-ng/conf.d/auditd.log.conf at line 3, column 8: included from /etc/syslog-ng/syslog-ng.conf line 164, column 1 linux-audit-parser(prefix(".auditd.")); 2. The corresponding conf file is below: source s_var_log_audit.log { file("/var/log/audit/audit.log" flags(no-parse)); }; parser p_audit_syslog_parser { linux-audit-parser(prefix(".auditd.")); }; log { source(s_var_log_audit.log); parser(p_audit_syslog_parser); destination(d_midfin_logger_2); }; The officially supported version of syslog-ng in ubuntu is 3.5.1. == syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: 3.5.6-2.1 [@416d315] (Ubuntu/16.04) Compile-Date: Oct 24 2015 03:49:19 Available-Modules: json-plugin,csvparser,system-source,tfgeoip,afsocket-notls,afamqp,basicfuncs,affile,afsocket-tls,dbparser,afmongodb,cryptofuncs,afsmtp,linux-kmsg-format,afuser,redis,afsocket,afstomp,sysl\ ogformat,confgen,afprog,afsql Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on Do I need to install an unofficial version or is there some elementary mistake that I am making. thanks Varugis
Hi, As far as I can remember, this feature arrived with syslog-ng version 3.7. So you should install an unofficial version to use it: https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng Bye, Peter Czanik (CzP) <peter.czanik@balabit.com> Balabit / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik On Tue, Nov 1, 2016 at 10:22 PM, Varugis Kurien <vkurien@midfinsystems.com> wrote:
When using a freshly installed version of U16.04, I found that the linux audit log parser does not seem to be installed.
For example:
syslog-ng --module-registry|grep audit <-- returns nothing
==
1. This started because I experienced a failure when trying to enable the linux audit parser:
*Error parsing parser expression, parser plugin linux-audit-parser not found in /etc/syslog-ng/conf.d/auditd.log.conf at line 3, column 8: included from /etc/syslog-ng/syslog-ng.conf line 164, column 1 linux-audit-parser(prefix(".auditd."));* 2. The corresponding conf file is below:
*source s_var_log_audit.log { file("/var/log/audit/audit.log" flags(no-parse)); };*
*parser p_audit_syslog_parser { linux-audit-parser(prefix(".auditd.")); }; log { source(s_var_log_audit.log); parser(p_audit_syslog_parser); destination(d_midfin_logger_2); };*
The officially supported version of syslog-ng in ubuntu is 3.5.1.
==
*syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: 3.5.6-2.1 [@416d315] (Ubuntu/16.04) Compile-Date: Oct 24 2015 03:49:19 Available-Modules: json-plugin,csvparser,system-source,tfgeoip,afsocket-notls,afamqp,basicfuncs,affile,afsocket-tls,dbparser,afmongodb,cryptofuncs,afsmtp,linux-kmsg-format,afuser,redis,afsocket,afstomp,sysl\ ogformat,confgen,afprog,afsql Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on *
Do I need to install an unofficial version or is there some elementary mistake that I am making.
thanks
Varugis
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Czanik, Péter
-
Varugis Kurien