[syslog-ng] Converting multiline text input to concatanated single-line syslog format
Newport, Brendan (Contractor - Security Operations - Development & Support)
Brendan.Newport at lloydsbanking.com
Fri Sep 30 16:34:52 CEST 2016
Classification: Public
Ha!
I think I might have been trying to achieve the impossible - getting syslog-ng to covert multiline log messages into concatenated syslog messages.
That doesn't appear to work. But I defined syslogd instance to direct local5.info messatges received from my syslog-ng client into a log file and all works fine!
more local5.log
Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered ORA-01017: invalid username/passwo
rd; logon deniedUsername: Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file With the P
artitioning, OLAP and Data Mining options Export file created by EXPORT:V10.02.01 via conventional path
Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered Warning: the objects were exported
by FALCON, not by you import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set
Using this config is syslog-ng.conf;
source s_table { file("<path to input multi-line log file>" multi-line-prefix("IMP") flags(no-parse) flags(no-multi-line)
program_override("Table") default-facility(local5) default-priority(info)); };
filter f_local5_info { facility(local5) and level(info); };
and with the destination defined as a udp IP address to port 514;
log { source(s_table); filter(f_local5_info); destination(d_syslog_udp); };
As the desire is to get multiline non-syslog logs off-host to Qradar as syslog messages, that's the POC passed fine!
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160930/d1c99657/attachment.htm
More information about the syslog-ng
mailing list