[syslog-ng] Support for netflow logs

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Tue Dec 3 14:07:53 UTC 2019


Hi,

The tcp destination uses RFC3164 protocol by default.
https://tools.ietf.org/html/rfc3164#section-4.1

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu at gmail.com>
Sent: Tuesday, December 3, 2019 2:07 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Support for netflow logs

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I observe that timestamp and host is getting added to my netflow log before being forwarded even though I am
using pure tcp driver for output and not syslog.

Raghu

On Mon, Dec 2, 2019, 20:49 Raghunath Adhyapak <funduraghu at gmail.com<mailto:funduraghu at gmail.com>> wrote:
Thanks.

On Mon, Dec 2, 2019, 18:02 Laszlo Szemere (lszemere) <Laszlo.Szemere at oneidentity.com<mailto:Laszlo.Szemere at oneidentity.com>> wrote:
Hello Raghu,
 Netflow is indeed a binary protocol. Since Syslog-ng is a text based log management system, I think your only option is to find some kind of "gateway" for the Netflow traffic.

 The gateway should be able to receive and convert those packets into a text format. (At this point you will certainly loose some information, since not all network related bytes can be converted into a printable character. Or you should use some encoding on it.)
 This gateway might run as a stand alone application, or you can integrate it into Syslog-ng as a program (or python) source.

Best regards,
Laci

________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Pal, Laszlo <vlad at vlad.hu<mailto:vlad at vlad.hu>>
Sent: Wednesday, November 27, 2019 14:03
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Support for netflow logs

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

I'm also interested in this. As I know there is no native netflow input in syslog-ng and when I did some research on it, it is not very easy. Logstash has a native netflow input and output, but it seems this is abandoned and not very stable. nxLog also support netflow but I'm not sure if it is only in the enterprise version or it is available in the CE too

L:


On Wed, Nov 27, 2019 at 1:58 PM Raghunath Adhyapak <funduraghu at gmail.com<mailto:funduraghu at gmail.com><mailto:funduraghu at gmail.com<mailto:funduraghu at gmail.com>>> wrote:
Hi,

I was trying to receive Netflow logs from firewall devices in syslog-ng and then forward to a central server.
Does syslog-ng support netflow such that I can validate and filter out all non-netflow log lines?
I also dumped some netflow logs to a file and found it to be binary. Therefore I haven't been able to ascertain the format and filtering mechanism.

Any pointers on this topic would be helpful.

Thanks
Raghu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0><https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463198370&sdata=85l75FHhoJ7%2Fl%2FLPMhe8OuP6ZY00oRpgW38XZFcigeY%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0>>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761337009&sdata=IkGk%2FeYDG1YVj0MXXz5OpED%2FK2WbRNB46FH6s7i9G5s%3D&reserved=0><https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=Dw5MDQ3N1r%2FZ1W9L3hoA%2FRq5I0qzKs16IFrwWEkwaGk%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=SkqwXemh1nXMKQ7UeN8FdfgObCyl4jX%2FOvLvcfR3GYI%3D&reserved=0>>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=gBu6ntJVMDzUFIomTQM86CAzk7SN5atwiSSWBqvFG%2Fo%3D&reserved=0><https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=nTLrYU59%2FG%2FRC6SxO83BWiBMb1qeHZ2z%2F%2FuEjJWddmo%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761357002&sdata=HDZsg6wF7%2BFtfDAnmAjkMZRYFY3kfPJF7fzS8HdnyyU%3D&reserved=0>>

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=GT%2FO7sk1mPBq5PGF9tKpDGIKYpvw4DxMzd3kyG5cTc4%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=30ufxme6bpnW%2FcgefyU7ev4vlZG2euU7np8yOxIKMBQ%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761376993&sdata=aZUEc6FiO8aGHByNCSkY4BQzpVWaVE6CiPnorO7VxPg%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191203/17b3b935/attachment-0001.html>


More information about the syslog-ng mailing list