[syslog-ng] Tool to determine facility and severity from

Justin Shore justin.shore at sktbcs.com
Tue Dec 5 14:51:12 CET 2006 

That's an interesting idea.  I mess around with Perl when the need
arrises but only on a very small scale; I'm not a programmer.  I may try
this some time.

The whole proxy idea is a bit of an offshoot of my original problem (and
the ultimate cause of the problem being a vendor that won't let you
define the facility).  I can see the problems of placing a proxy in
between the loghost and sender.  I figured syslog-ng could probably be
bound to an oddball port so that the proxy could then listn on 514 and
forward the rewritten messages to the oddball.  This is terribly crucial
though.  I would be handy to mess with until I can convince these
vendors to join the rest of the technological world and add this basic
feature.

I do need to be able to recognize the incoming messages somehow though
so that I can stick them appropriate log file, store info level data in
one log that is rotated weekly and kept for a year, and then store debug
info in another log file that is rotated weekly and kept for only a
single week.  Otherwise drive space will become a major issue.  For
example, I have 1 firewall that is sending me 4.5GB of data each day.
Without this basic log sorting and rotation setup I'd run out of drive
space within a few days.

I'll probably looking into matching each host by the source IP.  That
might be easiest in the long-term for these oddball hosts.  I haven't
set up syslog-ng so this could be an interesting experience.

Thanks for the info
 Justin



-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Alexander
Clouter
Sent: Tuesday, December 05, 2006 3:48 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Tool to determine facility and severity from

Hi,

Heiko Blume <Heiko at Blume.AG> [20061205 10:32:19 +0100]:
>
> probably with the sniffer from ethereal.com
> 
I would be more inclinded to use a Perl module:

http://search.cpan.org/~sparsons/Net-Dev-Syslog-0.8.0/Syslog.pm

It will create a mini-syslog server, decode the packets for you and then
it would be trivial, if you know perl, to re-inject them with the same
module or a different one:

http://search.cpan.org/~saper/Sys-Syslog-0.18/Syslog.pm

If you do not know perl you probably will find this is a nice
mini-project to introduce you to the language.  Its damn handy to be
able to throw together a quick hack script to do jobs like this; means
you no longer have to rely on the hope that someone else has done this
already otherwise you would be out of options.

The problem you are going to run into is that you have to have
effectively a syslog proxy on another machine, or a second IP bound to
your syslog core server.  You cannot have this 'rewriter' and syslog-ng
on the same box as both will be trying to listen on the same port; well
you could pick different IP's for them to bind to though.

By the sounds of it you really want to create a syslog-ng filter that
has a list of IP's and hardcode in the facility and extract the severity
there.  To be honest if the facility is fixed then really there is no
information you can extract that you could not determine "well it came
from this IP therefore it has the *fixed* facility xyz".

As for severity, its probably worth just grepping for keywords in the
message for what you are looking for anyway.  Thats where programs like
swatch can help.

Of course I might have missed completely what you are trying to
accomplish, if so give a few more details and I'll try to help.

Cheers

Alex

> regards, hb
> 
> > Does anyone know of a tool to read the facility and severity info 
> > from inbound syslog packets?  I have a number of devices that are 
> > sending me syslog info and I can't determine what facility they're 
> > using.  These devices can't be set to use specific facilities 
> > unfortunately.  It would be ideal if I could read the data out of a 
> > raw dump from tcpdump or at least be able to bind it to 514/udp and 
> > prepend facility/severity info on each log line.
> >
> > Along the same lines it would be sweet if there was a way to rewrite

> > the facility information in inbound syslog packets (based on source 
> > IP) before passing them to your favorite syslog server.  This would 
> > be ideal for occasions such as this.
> >
> > Any info would be greatly appreciated.  Thanks
> >
> > Justin
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu 
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at 
> > http://www.campin.net/syslog-ng/faq.html
> >
> >
> 
> 
> --
> Heiko at Blume.AG
> 
>    Cisco Certified Network Professional
>    Cisco Certified Design Professional
>    Juniper Certified Internet Specialist
>    SUN Certified System Administrator
> 
> 
> Office: +49.30/4426309
> FAX: +49.30/48494354
> Mobile: +49.178/6662342
> www: http://www.blume.ag/IT/
> PHY: Knaackstrasse 6, 10405 Berlin, DE
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu 
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> 
_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list