[syslog-ng] Structure data set to "-"
Debjyoti Mukherjee
debmukhra at gmail.com
Tue Dec 3 10:06:21 UTC 2019
Hello Gabor,
Thanks for the information.
There was no issue in the server side. As RFC 5424 suggested this field can
be NULL, I was wondering how to set this to "-" in syslog-ng
On Fri, Nov 29, 2019 at 9:57 PM Gabor Nagy (gnagy) <
Gabor.Nagy at oneidentity.com> wrote:
> Thanks for the information.
>
> There is no configuration option to disable automatic sequenceID
> generation into SDATA or to disable using SDATA when syslog() destination
> or the "syslog-protocol" flag is used.
> In case of local sources, like file(), unix-dgram() or the system() source
> (except where systemd is used) the sequenceID is automatically added, as
> stated before.
>
> I've checked for workarounds, but haven't found a good one:
>
> - unset() rewrite rule won't work, as in this case the sequenceID is
> generated on destination side,
> - using a custom RFC5424-like template(), where the SDATA is replaced
> with a literal "-" won't work either, as in case of syslog() or network(...
> flags(syslog-protocol)), the "frame" of RFC5424 is automatically
> added to the outgoing message.
>
> The only way this can be done if a simple TCP destination is used, with
> the above mentioned custom RFC5424-like template, but the source on the
> server side has to be changed to a simple TCP source as well.
>
>
> I've found some discussion about the future of SEQNUM, which is slightly
> connected to this:
> https://github.com/syslog-ng/syslog-ng/issues/2152
> > 3. drop SEQNUM support, as noone cares. Be able to extract it from log
> messages, but leave it in a name-value pair (e.g. .cisco.seq_num), and
> nothing else. Never generate it on output.
>
> Just out of interest, can you explain to me what kind of problem is caused
> by sequenceId on server side?
> Maybe we can filter, or opt out the sequenceId on the server side (as
> syslog() source on the server side will parse it, there it can be removed
> with a rewrite rule).
>
> Regards,
> Gabor
>
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Debjyoti Mukherjee <debmukhra at gmail.com>
> *Sent:* Friday, November 29, 2019 11:30
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Structure data set to "-"
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Configuration is simple with default config only I have added a
> destination syslog () to send to UDP remote host listening on 514 port
>
> On Wed, Nov 27, 2019 at 7:11 PM Gabor Nagy (gnagy) <
> Gabor.Nagy at oneidentity.com> wrote:
>
> Hello,
>
> Syslog-ng does not always put the sequenceId into SDATA, for example logs
> from a local file will have a seqnum and when forwarded it will have this
> SDATA field.
> More info about this can be found under SEQNUM macro in our admin guide:
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/63#TOPIC-1298112
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F63%23TOPIC-1298112&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507915178&sdata=iwziFWST8r6l6AE346sbA6o%2FRjmxiemwA3fACrrda8c%3D&reserved=0>
>
>
> Well, I don't know a quick solution (e.g. a config option to disable
> this), I'll try to help you.
>
> Can you share your configuration, please?
>
> Regards,
> Gabor
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Debjyoti Mukherjee <debmukhra at gmail.com>
> *Sent:* Tuesday, November 26, 2019 16:17
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Structure data set to "-"
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hello
>
> Trying to send logs to remote syslog server in RFC 5424 format. The
> STRUCTURE_DATA should be set to "-".
>
> What is the way to the this value to "-"
>
> Currently it is coming as [meta sequenceId="21"]. I am using Openwrt and
> the syslog version is 3.24
>
> Thank you
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=vPpAAE9LuenQ2WmwhfcijUoNgxSlWAIT5qahMA5ycgQ%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=ePekEu%2BTh7n7w36V69NmI%2BE%2FDwDfqfi51ZTsKFYjg3I%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507935164&sdata=HnKbecsXh%2FOo93HooesTjCG8PgpJWcNr%2FoXPsMuTghI%3D&reserved=0>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191203/21acc7e5/attachment-0001.html>
More information about the syslog-ng
mailing list