[syslog-ng] log server duplication

Laszlo Szemere (lszemere) Laszlo.Szemere at oneidentity.com
Fri Nov 15 09:17:38 UTC 2019


Hello,
 if upgrading syslog-ng is an option for you, then you can use ewmm (introduced in 3.17: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.17.1) to transport your messages between two syslog-ng instances. This way the logs will be identical on the second machine, so every MACRO will produce the same output.

 if upgrading syslog-ng is not possible in your environment, I would recommend to put the necessary information (The HOST_FROM field in your case.) into a custom SDATA field, - which will be automatically transported by the syslog protocol - and use that on the second server.

Br,
Laci

________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal, Laszlo <vlad at vlad.hu>
Sent: Thursday, November 14, 2019 15:15
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] log server duplication

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

In path try use like this

"/var/log/netlog/app/${HOST}/${PROGRAM}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"

On Wed, Nov 13, 2019 at 7:36 PM <freebsd at tango.lu<mailto:freebsd at tango.lu>> wrote:
Hello,

I have a syslogNG based siem setup with customized rules like:

options {
         use_dns(no);
         use_fqdn(no);
         check_hostname(no);
         owner(root);
         group(root);
         perm(0640);
         dir_owner(root);
         dir_group(root);
         dir_perm(0750);
         create_dirs(yes);
         normalize_hostnames(yes);
         keep_hostname(yes);
         # disable stats
         stats_freq(0);
};



destination d_net_auth {
file("/var/log/corporate/$HOST_FROM/auth.log"); };
...

These settings will not do dns resolution will result that when hosts
sending their logs into this SIEM directories will be created by their
IP addresses where the logs go.

I would like to replicate this server on a second location without using
brute methods like rsyncing the whole directory structure daily. I have
configured syslogng to keep forwarding the logs to a remote destination
which works fine however I can't select the messages based on the same
criteria on the new log server because if I use the same config
everything will originate from the IP for logserver 1.  I need IP based
directories on the second loghost as well, everything to be identical.

I'm using syslogng 3.12.

Is there a workaround for this?

Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C22ec230171b043df47c908d7690d29aa%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637093377570931795&sdata=iS%2FUbKcP5u%2FkyBo1pSAtTDtWKttz7%2Bt61UJUf9nsBsU%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C22ec230171b043df47c908d7690d29aa%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637093377570931795&sdata=PIaX%2BX12PVGNTywCNvQrU2DT8rwqWjvjW%2B9fBchGfdg%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CLaszlo.Szemere%40oneidentity.com%7C22ec230171b043df47c908d7690d29aa%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637093377570931795&sdata=193cWV2J5q375BspsWMFTbcfGqXuBBbchKNCBv54kKo%3D&reserved=0>



More information about the syslog-ng mailing list