[syslog-ng] Structure data set to "-"

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Tue Dec 3 12:49:52 UTC 2019


Hi,


I see, so it's not an issue, but a request to be able to disable SDATA?


I've opened a feature request on Github [1], to be able to disable the sequenceId generation into SDATA, but not the whole SDATA.
It has to be refined first, as I see it dangerous to disable SDATA usage on dest. side in case multiple sources connectet to the destination and some of them have received information in SDATA.


[1] https://github.com/syslog-ng/syslog-ng/issues/3036

Regards,
Gabor
________________________________
From: Debjyoti Mukherjee <debmukhra at gmail.com>
Sent: Tuesday, December 3, 2019 11:06
To: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Structure data set to "-"

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello Gabor,
Thanks for the information.

There was no issue in the server side. As RFC 5424 suggested this field can be NULL, I was wondering how to set this to "-" in syslog-ng

On Fri, Nov 29, 2019 at 9:57 PM Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>> wrote:
Thanks for the information.

There is no configuration option to disable automatic sequenceID generation into SDATA or to disable using SDATA when syslog() destination or the "syslog-protocol" flag is used.
In case of local sources, like file(), unix-dgram() or the system() source (except where systemd is used) the sequenceID is automatically added, as stated before.

I've checked for workarounds, but haven't found a good one:

  *   unset() rewrite rule won't work, as in this case the sequenceID is generated on destination side,
  *   using a custom RFC5424-like template(), where the SDATA is replaced with a literal "-" won't work either, as in case of syslog() or network(... flags(syslog-protocol)), the "frame" of RFC5424 is automatically
added to the outgoing message.

The only way this can be done if a simple TCP destination is used, with the above mentioned custom RFC5424-like template, but the source on the server side has to be changed to a simple TCP source as well.


I've found some discussion about the future of SEQNUM, which is slightly connected to this:
https://github.com/syslog-ng/syslog-ng/issues/2152<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fissues%2F2152&data=02%7C01%7CGabor.Nagy%40oneidentity.com%7Cb0f9ec4ea0554da314fe08d777d87abb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109643970279044&sdata=oVqUn9RuaOjNUz1N3KU9bHpuzv9xQJ0YAvtLw9%2BSQpw%3D&reserved=0>
> 3. drop SEQNUM support, as noone cares. Be able to extract it from log messages, but leave it in a name-value pair (e.g. .cisco.seq_num), and nothing else. Never generate it on output.

Just out of interest, can you explain to me what kind of problem is caused by sequenceId on server side?
Maybe we can filter, or opt out the sequenceId on the server side (as syslog() source on the server side will parse it, there it can be removed with a rewrite rule).

Regards,
Gabor

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Debjyoti Mukherjee <debmukhra at gmail.com<mailto:debmukhra at gmail.com>>
Sent: Friday, November 29, 2019 11:30
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Structure data set to "-"

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Configuration is simple with default config only I have added a destination syslog () to send to UDP remote host listening on 514 port

On Wed, Nov 27, 2019 at 7:11 PM Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>> wrote:
Hello,

Syslog-ng does not always put the sequenceId into SDATA, for example logs from a local file will have a seqnum and when forwarded it will have this SDATA field.
More info about this can be found under SEQNUM macro in our admin guide:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/63#TOPIC-1298112<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F63%23TOPIC-1298112&data=02%7C01%7CGabor.Nagy%40oneidentity.com%7Cb0f9ec4ea0554da314fe08d777d87abb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109643970279044&sdata=LArcotgaHHtP53M8FxcGyvy%2BQaQGjj284p2KKnxP3W8%3D&reserved=0>


Well, I don't know a quick solution (e.g. a config option to disable this), I'll try to help you.

Can you share your configuration, please?

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Debjyoti Mukherjee <debmukhra at gmail.com<mailto:debmukhra at gmail.com>>
Sent: Tuesday, November 26, 2019 16:17
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Structure data set to "-"

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello

Trying to send logs to remote syslog server in RFC 5424 format. The STRUCTURE_DATA should be set to "-".

What is the way to the this value to "-"

Currently it is coming as [meta sequenceId="21"]. I am using Openwrt and the syslog version is 3.24

Thank you
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CGabor.Nagy%40oneidentity.com%7Cb0f9ec4ea0554da314fe08d777d87abb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109643970289032&sdata=SxyLoZoZ1%2Frw67u%2F4pdhscuQXur3dLawHC%2BLyrjot0k%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CGabor.Nagy%40oneidentity.com%7Cb0f9ec4ea0554da314fe08d777d87abb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109643970289032&sdata=AbOKRY83TkAp3amdM7r4wehvQpQGESX1cm29FNO2y0o%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CGabor.Nagy%40oneidentity.com%7Cb0f9ec4ea0554da314fe08d777d87abb%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109643970299031&sdata=W3QkHeM0I3ccu%2FLlB3x65qp907cVOY%2BOmp4c7yZ4Gn8%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191203/48218aeb/attachment-0001.html>


More information about the syslog-ng mailing list