[syslog-ng] linux-audit-parser not found on stock install of Ubuntu 16.04

Czanik, Péter peter.czanik at balabit.com
Wed Nov 2 08:30:14 UTC 2016 

Hi,

As far as I can remember, this feature arrived with syslog-ng version 3.7.
So you should install an unofficial version to use it:
https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng

Bye,

Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik

On Tue, Nov 1, 2016 at 10:22 PM, Varugis Kurien <vkurien at midfinsystems.com>
wrote:

> When using a freshly installed version of U16.04, I found that the linux
> audit log parser does not seem to be installed.
>
> For example:
>
>
> syslog-ng --module-registry|grep audit <-- returns nothing
>
> ==
>
>
>
>    1. This started because I experienced a failure when trying to enable
>    the linux audit parser:
>
>
>
> *Error parsing parser expression, parser plugin linux-audit-parser not
>    found in /etc/syslog-ng/conf.d/auditd.log.conf at line 3, column 8:
>                                                                     included
>    from /etc/syslog-ng/syslog-ng.conf line 164, column 1
>    linux-audit-parser(prefix(".auditd."));*
>    2. The corresponding conf file is below:
>
> *source s_var_log_audit.log { file("/var/log/audit/audit.log"
> flags(no-parse)); };*
>
>
>
>
>
>
>
>
> *parser p_audit_syslog_parser {
> linux-audit-parser(prefix(".auditd."));        }; log {
> source(s_var_log_audit.log);     parser(p_audit_syslog_parser);
> destination(d_midfin_logger_2); };*
>
> The officially supported version of syslog-ng in ubuntu is 3.5.1.
>
> ==
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: 3.5.6-2.1 [@416d315]
> (Ubuntu/16.04) Compile-Date: Oct 24 2015 03:49:19 Available-Modules:
> json-plugin,csvparser,system-source,tfgeoip,afsocket-notls,afamqp,basicfuncs,affile,afsocket-tls,dbparser,afmongodb,cryptofuncs,afsmtp,linux-kmsg-format,afuser,redis,afsocket,afstomp,sysl\
> ogformat,confgen,afprog,afsql Enable-Debug: off Enable-GProf: off
> Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on *
>
> Do I need to install an unofficial version or is there some elementary
> mistake that I am making.
>
> thanks
>
> Varugis
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161102/8aaef366/attachment.html>

More information about the syslog-ng mailing list