[syslog-ng] Structure data set to "-"

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Fri Nov 29 16:27:16 UTC 2019 

Thanks for the information.

There is no configuration option to disable automatic sequenceID generation into SDATA or to disable using SDATA when syslog() destination or the "syslog-protocol" flag is used.
In case of local sources, like file(), unix-dgram() or the system() source (except where systemd is used) the sequenceID is automatically added, as stated before.

I've checked for workarounds, but haven't found a good one:

  *   unset() rewrite rule won't work, as in this case the sequenceID is generated on destination side,
  *   using a custom RFC5424-like template(), where the SDATA is replaced with a literal "-" won't work either, as in case of syslog() or network(... flags(syslog-protocol)), the "frame" of RFC5424 is automatically
added to the outgoing message.

The only way this can be done if a simple TCP destination is used, with the above mentioned custom RFC5424-like template, but the source on the server side has to be changed to a simple TCP source as well.


I've found some discussion about the future of SEQNUM, which is slightly connected to this:
https://github.com/syslog-ng/syslog-ng/issues/2152
> 3. drop SEQNUM support, as noone cares. Be able to extract it from log messages, but leave it in a name-value pair (e.g. .cisco.seq_num), and nothing else. Never generate it on output.

Just out of interest, can you explain to me what kind of problem is caused by sequenceId on server side?
Maybe we can filter, or opt out the sequenceId on the server side (as syslog() source on the server side will parse it, there it can be removed with a rewrite rule).

Regards,
Gabor

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Debjyoti Mukherjee <debmukhra at gmail.com>
Sent: Friday, November 29, 2019 11:30
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Structure data set to "-"

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Configuration is simple with default config only I have added a destination syslog () to send to UDP remote host listening on 514 port

On Wed, Nov 27, 2019 at 7:11 PM Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>> wrote:
Hello,

Syslog-ng does not always put the sequenceId into SDATA, for example logs from a local file will have a seqnum and when forwarded it will have this SDATA field.
More info about this can be found under SEQNUM macro in our admin guide:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/63#TOPIC-1298112<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.syslog-ng.com%2Ftechnical-documents%2Fdoc%2Fsyslog-ng-open-source-edition%2F3.24%2Fadministration-guide%2F63%23TOPIC-1298112&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507915178&sdata=iwziFWST8r6l6AE346sbA6o%2FRjmxiemwA3fACrrda8c%3D&reserved=0>


Well, I don't know a quick solution (e.g. a config option to disable this), I'll try to help you.

Can you share your configuration, please?

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Debjyoti Mukherjee <debmukhra at gmail.com<mailto:debmukhra at gmail.com>>
Sent: Tuesday, November 26, 2019 16:17
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Structure data set to "-"

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello

Trying to send logs to remote syslog server in RFC 5424 format. The STRUCTURE_DATA should be set to "-".

What is the way to the this value to "-"

Currently it is coming as [meta sequenceId="21"]. I am using Openwrt and the syslog version is 3.24

Thank you
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=vPpAAE9LuenQ2WmwhfcijUoNgxSlWAIT5qahMA5ycgQ%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507925171&sdata=ePekEu%2BTh7n7w36V69NmI%2BE%2FDwDfqfi51ZTsKFYjg3I%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Ca08952d24af0437b4ace08d774b732ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637106202507935164&sdata=HnKbecsXh%2FOo93HooesTjCG8PgpJWcNr%2FoXPsMuTghI%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191129/56ea7671/attachment-0001.html>

More information about the syslog-ng mailing list