[syslog-ng] Syslog-ng and OSQUERY
Czanik, Péter
peter.czanik at balabit.com
Tue Apr 18 13:42:37 UTC 2017
Hi,
What do you try to achieve? Sending syslog messages to OSquery or
collecting OSquery logs by syslog-ng?
/me now has a test environment installed
Bye,
Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream
https://www.balabit.com/blog/author/peterczanik/
https://twitter.com/PCzanik
On Mon, Apr 17, 2017 at 4:32 PM, Dwijadas Dey <dwijad at gmail.com> wrote:
> Hi
> Robert
> You are right, i am trying the same with a named pipe so
> that OSQUERY consume syslogs as pointed by Evan. There are plenty of
> documents showing the same with rsyslog but not with syslog-ng.
>
> This is what my syslog configuration for osquery:-
>
> /etc/syslog-ng/conf.d/osquery.conf
>
> source s_osquery {
> # system();
> pipe("/var/osquery/syslog_pipe");
> # unix-stream("/dev/log");
> };
> #filter osqueryd {
> # program("^osqueryd.*");
> #};
> destination d_osquery {
> file("/var/log/osquery/osqueryd.results.log"
> template("$(format-json --scope selected_macros --scope nv_pairs)\n"));
> };
> log {
> source(s_osquery);
> # filter(osqueryd);
> destination(d_osquery);
> };
>
> But this does not produce any logs for OSQUERY. I have checked , the name
> piped has been created.
>
> # ls -l /var/osquery/syslog_pipe
> pr--rw---- 1 root adm 0 Apr 14 15:41 /var/osquery/syslog_pipe
>
> But when i try to check what logs are passing through the pipe using
> following command, no message shows up.
> # cat /var/osquery/syslog_pipe
>
> I have correct options set in OSQUERY configuration file in
> /etc/osquery/osquery.conf.
>
> ..................
> ..................
> "logger_plugin": "syslog",
> "enable_syslog": "true",
> "syslog_pipe_path": "/var/osquery/syslog_pipe",
> ..................
> ..................
> I think Evan can point me the right configuration for syslog-ng ( version
> 3.5.6 in ubuntu 16 )
>
> Regards
>
>
>
>
> On Mon, Apr 17, 2017 at 6:24 PM, Fekete, Róbert <robert.fekete at balabit.com
> > wrote:
>
>> Hi,
>>
>> It seems that by default, osquery logs JSON messages into a file. (
>> https://osquery.readthedocs.io/en/latest/deployment/logging/ )
>> You can use this file in a syslog-ng source, and parse the JSON messages
>> with the json parser (note that you need a recent syslog-ng OSE for this),
>> see https://www.balabit.com/documents/syslog-ng-ose-latest-
>> guides/en/syslog-ng-ose-guide-admin/html/json-parser.html .
>>
>>
>> The above Osquery page mentions that it can send log messages directly to
>> syslog (instead of a file), but I haven't found how you can actually
>> configure it.
>>
>> Regards,
>>
>> Robert
>>
>> On Fri, Apr 14, 2017 at 9:46 PM, Dwijadas Dey <dwijad at gmail.com> wrote:
>>
>>> Hi
>>> List users
>>> Is it possible to send OSQUERY logs to syslog-ng 3.5
>>> In the OSQUERY docs
>>> <https://osquery.readthedocs.io/en/latest/deployment/syslog/> rsyslog
>>> is configured to write logs to syslog. Does the same method applies to
>>> syslog-ng 3.5 ?
>>>
>>> Thanks and regards
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170418/aacfa175/attachment.html>
More information about the syslog-ng
mailing list