[syslog-ng] Simple config question

Thu Nov 3 17:36:37 CET 2011

Miguel Alvarez <miguellvrz9 at gmail.com> writes:

> Sorry, I should have elaborated on the tagging other files part.
>
> I have a system that runs snort as well as bro.  Snort writes its
> alert file to /var/log/snort/alert .  Bro writes to a few files such
> as /var/log/bro/conn.log and /var/log/bro/http.log .  Right now, I
> have rsyslog tagging each with a description of the given alert file
> so they can be filtered on the remote log server side.  "[SNORT]" for
> snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log
> respectively.  Here are the rsyslog configuration sections for those
> three logs:

Aha!

Well, something similar is possible with syslog-ng aswell: (beware,
completely untested, there might be typos!)

###
# File sources
# ------------
#
# These set up sources, and tag them appropriately. We'll use the tags
# later in the rewrite rules.
###

source s_snort_alert {
 file("/var/log/snort/alert");
 tag("snort");
};

source s_bro_conn {
 file("/var/log/bro/conn.log");
 tag("bro-conn");
};

source s_bro_http {
 file("/var/log/bro/http.log");
 tag("bro-http");
};

###
# Templates
# ---------
#
# Templates are used similarly as in rsyslog (except our templates are
# awesome, and theirs isn't. Sadly, this example is too simple to show
# the power of syslog-ng templates. Oh well..).
#
# Anyway, in this case, the template will be similar to a normal
# BSD legacy syslog format, with ${MSG_TAG} inserted between the
# MSGHEADER and the message itself. If MSG_TAG is unset, nothing will be
# inserted, and we'll get a standard format.
###
template t_tagged {
 template("${ISODATE} ${HOST} ${MSGHDR}${MSG_TAG}${MSG}");
};

###
# Destinations
# ------------
#
# Ye olde TCP destination. You can replace tcp with upd, if so you
# wish. It forwards everything that reaches the destination to the
# specified host, on the given port, using the template we made above.
###
destination d_remote_tagged {
  tcp("192.168.1.1" port(1200) template(t_tagged));
};

###
# Rewrite
# -------
#
# Rewrite rules! If we encounter a tag we care about, we set MSG_TAG
# appropriately. That is all. If a message does not have the sought tag,
# the rewrite does nothing.
###
rewrite r_snort_tag {
 rewrite(set("MSG_TAG", value("[SNORT] ") condition(tag("snort"))));
};

rewrite r_bro_conn_tag {
 rewrite(set("MSG_TAG", value("[BRO-CONN] ") condition(tag("bro-conn"))));
};

rewrite r_bro_http_tag {
 rewrite(set("MSG_TAG", value("[BRO-HTTP] ") condition(tag("bro-http"))));
};

###
# Logpath
# -------
#
# Logpaths define how sources, filters, rewrite rules and destinations
# are connected.
#
# In this case, this logpath will read from all three file sources
# defined above, pass them through all three rewrite rules (remember:
# those only do the rewrite if the appropriate tag matches), and
# finally, send it over to the remote host.
#
# We also set a "final" flag, which means that if a message was caught
# by this rule (ie, it came from any of the three files), it will not be
# processed further by any other logpath.
###

log {
 source(s_snort_alert);
 source(s_bro_conn);
 source(s_bro_http);

 rewrite (r_snort_tag);
 rewrite (r_bro_conn_tag);
 rewrite (r_bro_http_tag);

 destination (d_remote_tagged);

 flags(final);
};

And this is all you need to process the files.

The rest of your rsyslog.conf is easier to translate to syslog-ng.conf
style, and hence, I'm not going to describe it here. I'd suggest quickly
skimming through the docs[1], and it should be reasonably
straightforward.

 [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guides/syslog-ng-ose-v3.2-guide-admin-en.html/bk01-toc.html

The contrib/syslog2ng script in the syslog-ng sources should help with
the translation too, as rsyslog.conf has parts that are compatible with
old syslog.conf (and the rest of your config pretty much consist of such
parts ;).

Hope this helps!

-- 
|8]