[syslog-ng] Support for netflow logs

Tue Dec 3 14:57:52 UTC 2019

Thanks.
Is there any way to disable this for tcp?
I.e. just send the message as is

Raghu

On Tue, Dec 3, 2019, 19:37 Attila Szakacs (aszakacs) <
Attila.Szakacs at oneidentity.com> wrote:

> Hi,
>
> The tcp destination uses RFC3164 protocol by default.
> https://tools.ietf.org/html/rfc3164#section-4.1
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Tuesday, December 3, 2019 2:07 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Support for netflow logs
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi,
>
> I observe that timestamp and host is getting added to my netflow log
> before being forwarded even though I am
> using pure tcp driver for output and not syslog.
>
> Raghu
>
> On Mon, Dec 2, 2019, 20:49 Raghunath Adhyapak <funduraghu at gmail.com>
> wrote:
>
> Thanks.
>
> On Mon, Dec 2, 2019, 18:02 Laszlo Szemere (lszemere) <
> Laszlo.Szemere at oneidentity.com> wrote:
>
> Hello Raghu,
>  Netflow is indeed a binary protocol. Since Syslog-ng is a text based log
> management system, I think your only option is to find some kind of
> "gateway" for the Netflow traffic.
>
>  The gateway should be able to receive and convert those packets into a
> text format. (At this point you will certainly loose some information,
> since not all network related bytes can be converted into a printable
> character. Or you should use some encoding on it.)
>  This gateway might run as a stand alone application, or you can integrate
> it into Syslog-ng as a program (or python) source.
>
> Best regards,
> Laci
>
> ________________________________________
> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal,
> Laszlo <vlad at vlad.hu>
> Sent: Wednesday, November 27, 2019 14:03
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Support for netflow logs
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> I'm also interested in this. As I know there is no native netflow input in
> syslog-ng and when I did some research on it, it is not very easy. Logstash
> has a native netflow input and output, but it seems this is abandoned and
> not very stable. nxLog also support netflow but I'm not sure if it is only
> in the enterprise version or it is available in the CE too
>
> L:
>
>
> On Wed, Nov 27, 2019 at 1:58 PM Raghunath Adhyapak <funduraghu at gmail.com
> <mailto:funduraghu at gmail.com>> wrote:
> Hi,
>
> I was trying to receive Netflow logs from firewall devices in syslog-ng
> and then forward to a central server.
> Does syslog-ng support netflow such that I can validate and filter out all
> non-netflow log lines?
> I also dumped some netflow logs to a file and found it to be binary.
> Therefore I haven't been able to ascertain the format and filtering
> mechanism.
>
> Any pointers on this topic would be helpful.
>
> Thanks
> Raghu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0>
> <
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463198370&sdata=85l75FHhoJ7%2Fl%2FLPMhe8OuP6ZY00oRpgW38XZFcigeY%3D&reserved=0
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761327014&sdata=RfnhQwf76tknppvk5RWVvUGy%2BL15OtIzPGKiwcMrBvs%3D&reserved=0>
> >
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761337009&sdata=IkGk%2FeYDG1YVj0MXXz5OpED%2FK2WbRNB46FH6s7i9G5s%3D&reserved=0>
> <
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=Dw5MDQ3N1r%2FZ1W9L3hoA%2FRq5I0qzKs16IFrwWEkwaGk%3D&reserved=0
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=SkqwXemh1nXMKQ7UeN8FdfgObCyl4jX%2FOvLvcfR3GYI%3D&reserved=0>
> >
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761347003&sdata=gBu6ntJVMDzUFIomTQM86CAzk7SN5atwiSSWBqvFG%2Fo%3D&reserved=0>
> <
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C8184443d85744e714f7f08d7733a477f%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637104566463208370&sdata=nTLrYU59%2FG%2FRC6SxO83BWiBMb1qeHZ2z%2F%2FuEjJWddmo%3D&reserved=0
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761357002&sdata=HDZsg6wF7%2BFtfDAnmAjkMZRYFY3kfPJF7fzS8HdnyyU%3D&reserved=0>
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=GT%2FO7sk1mPBq5PGF9tKpDGIKYpvw4DxMzd3kyG5cTc4%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761367002&sdata=30ufxme6bpnW%2FcgefyU7ev4vlZG2euU7np8yOxIKMBQ%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C4af1ec25c0f64ef2e54608d777f1cdbd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637109752761376993&sdata=aZUEc6FiO8aGHByNCSkY4BQzpVWaVE6CiPnorO7VxPg%3D&reserved=0>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191203/623717ef/attachment.html>