[syslog-ng] log server duplication
Laszlo Szemere (lszemere)
Laszlo.Szemere at oneidentity.com
Fri Nov 15 14:33:21 UTC 2019
Hello!
> I assume for this EWMM both of them has to be 3.17+.
Correct. Documentation: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/ewmm-intro
> Does it also support some sort of SSL transport of the logs over TCP?
Yes. See the "tls()" option in the documentation under the syslog-ng destination/source.
Br,
Laci
________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of freebsd at tango.lu <freebsd at tango.lu>
Sent: Friday, November 15, 2019 15:25
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] log server duplication
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello,
This EWMM sounds more like a well engineered solution, the update might
worth it.
My sender node: syslog-ng-3.12.1p5 log management solution
My receiver node: syslog-ng-3.17.2nb1 Highly portable log management
solution
I assume for this EWMM both of them has to be 3.17+.
Does it also support some sort of SSL transport of the logs over TCP?
Thanks.
On 2019-11-15 10:17, Laszlo Szemere (lszemere) wrote:
> Hello,
> if upgrading syslog-ng is an option for you, then you can use ewmm
> (introduced in 3.17:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Freleases%2Ftag%2Fsyslog-ng-3.17.1&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=pU2gz79yas7i%2FMTLlqZIPRxHMqC4IwCqBBhHVX8ophM%3D&reserved=0)
> to transport your messages between two syslog-ng instances. This way
> the logs will be identical on the second machine, so every MACRO will
> produce the same output.
>
> if upgrading syslog-ng is not possible in your environment, I would
> recommend to put the necessary information (The HOST_FROM field in
> your case.) into a custom SDATA field, - which will be automatically
> transported by the syslog protocol - and use that on the second
> server.
>
> Br,
> Laci
>
> ________________________________________
> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal,
> Laszlo <vlad at vlad.hu>
> Sent: Thursday, November 14, 2019 15:15
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] log server duplication
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> In path try use like this
>
> "/var/log/netlog/app/${HOST}/${PROGRAM}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
>
> On Wed, Nov 13, 2019 at 7:36 PM
> <freebsd at tango.lu<mailto:freebsd at tango.lu>> wrote:
> Hello,
>
> I have a syslogNG based siem setup with customized rules like:
>
> options {
> use_dns(no);
> use_fqdn(no);
> check_hostname(no);
> owner(root);
> group(root);
> perm(0640);
> dir_owner(root);
> dir_group(root);
> dir_perm(0750);
> create_dirs(yes);
> normalize_hostnames(yes);
> keep_hostname(yes);
> # disable stats
> stats_freq(0);
> };
>
>
>
> destination d_net_auth {
> file("/var/log/corporate/$HOST_FROM/auth.log"); };
> ...
>
> These settings will not do dns resolution will result that when hosts
> sending their logs into this SIEM directories will be created by their
> IP addresses where the logs go.
>
> I would like to replicate this server on a second location without
> using
> brute methods like rsyncing the whole directory structure daily. I have
> configured syslogng to keep forwarding the logs to a remote destination
> which works fine however I can't select the messages based on the same
> criteria on the new log server because if I use the same config
> everything will originate from the IP for logserver 1. I need IP based
> directories on the second loghost as well, everything to be identical.
>
> I'm using syslogng 3.12.
>
> Is there a workaround for this?
>
> Thanks
> ______________________________________________________________________________
> Member info:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=Gva83uKyWNB5XVL6stmiob4gRgqmNtwH%2BcBrtb7z3PE%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=Gva83uKyWNB5XVL6stmiob4gRgqmNtwH%2BcBrtb7z3PE%3D&reserved=0>
> Documentation:
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=CQS3YRGTE7Ws3fWeLzn5A2emkYsloy2OONcfptBJZQQ%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=CQS3YRGTE7Ws3fWeLzn5A2emkYsloy2OONcfptBJZQQ%3D&reserved=0>
> FAQ:
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=WvjNhtnYdfC7jELqZtJ2MyFNAZvKE1xqjpw6MJiSMKQ%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=WvjNhtnYdfC7jELqZtJ2MyFNAZvKE1xqjpw6MJiSMKQ%3D&reserved=0>
>
> ______________________________________________________________________________
> Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=Gva83uKyWNB5XVL6stmiob4gRgqmNtwH%2BcBrtb7z3PE%3D&reserved=0
> Documentation:
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=CQS3YRGTE7Ws3fWeLzn5A2emkYsloy2OONcfptBJZQQ%3D&reserved=0
> FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=WvjNhtnYdfC7jELqZtJ2MyFNAZvKE1xqjpw6MJiSMKQ%3D&reserved=0
______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=Gva83uKyWNB5XVL6stmiob4gRgqmNtwH%2BcBrtb7z3PE%3D&reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=CQS3YRGTE7Ws3fWeLzn5A2emkYsloy2OONcfptBJZQQ%3D&reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7Cd90a3829327d4b2ee78b08d769d7a755%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637094247259923748&sdata=WvjNhtnYdfC7jELqZtJ2MyFNAZvKE1xqjpw6MJiSMKQ%3D&reserved=0
More information about the syslog-ng
mailing list