[syslog-ng] syslog-ng Digest, Vol 173, Issue 18

Németh Balázs jobbara.artalmatlan at gmail.com
Tue Sep 17 11:25:50 UTC 2019


Hi Laci,

Elaaticsearch is not limited by any means regarding indexable traffic.
Should you need any real life example then have a look at my blog:
https://balagetech.com/tag/elasticsearch/
This page will show you the feature differences between different licenses:
https://www.elastic.co/subscriptions
Note that the free version does not have AD integration. (Maybe you could
put a WAF before Kibana, or handling the AD integration with Apache + LDAP)

ps: I am not paid by anyone to suggest Elasticsearch. It is simply a tool I
use.

Regards,

<syslog-ng-request at lists.balabit.hu> ezt írta (időpont: 2019. szept. 17.,
K, 12:57):

> Send syslog-ng mailing list submissions to
>         syslog-ng at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
>         syslog-ng-request at lists.balabit.hu
>
> You can reach the person managing the list at
>         syslog-ng-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of syslog-ng digest..."
> Today's Topics:
>
>    1. Re:  a bit [offtopic] but may not. syslog search solution for
>       free (Pal, Laszlo)
>    2. Re:  a bit [offtopic] but may not. syslog search solution for
>       free (Fabien Wernli)
>    3. Re:  Enable SNI (Server Name Identification) in   TLS
>       connection (Attila Szakacs (aszakacs))
>
>
>
> ---------- Forwarded message ----------
> From: "Pal, Laszlo" <vlad at vlad.hu>
> To: "Syslog-ng users' and developers' mailing list" <
> syslog-ng at lists.balabit.hu>
> Cc:
> Bcc:
> Date: Tue, 17 Sep 2019 10:55:04 +0200
> Subject: Re: [syslog-ng] a bit [offtopic] but may not. syslog search
> solution for free
> Hi,
>
> Thanks for the answers. So, I definitely need an onprem solution and yes,
> Elastic is a good idea, however based on my previous research even the OS
> version is restricted to some amount of daily log. Maybe I'm wrong and in
> this case I may give a try again. At this point I don't know how much logs
> will I ingest daily but because it is more than 30K devices including core
> routers, firewalls and all sort of servers, I don't think any traffic
> limited solution will be sufficient.
>
> Graylog is a very good solution which I already tested but the "free"
> version is limited to something like 50 Mbyet per day.
>
> I'll check this onion thingy, thank you Peter for the heads up
>
> Vlad
>
> On Tue, Sep 17, 2019 at 10:01 AM Peter Czanik (pczanik) <
> Peter.Czanik at oneidentity.com> wrote:
>
>> Hi,
>>
>> These are not my personal experiences, but talking to thousands of
>> syslog-ng users at different events:
>>
>>
>>    - Many are happy with grep and hate anything with a GUI. It works
>>    relatively well, if you have many small log files (separated by date, host,
>>    application, etc.), but if you have lots of logs, you can't avoid message
>>    parsing and indexing for efficient search.
>>    - Splunk is one of the most popular destinations with syslog-ng. OSE
>>    users tend to use the free version, which can index up to 500MB of logs a
>>    day.
>>    - Elasticsearch is the other most popular destination. With the
>>    latest version most of the security features are included in the open
>>    source version for free, so it does not need 3rd party extensions or a
>>    commercial license any more.
>>    - Graylog is also getting popular among syslog-ng users. We can feed
>>    it with structured log messages in multiple ways: either GELF or JSON.
>>    Free, open source, but commercial extensions and support are available.
>>    - I did not test recently, but Security Onion is a nice security
>>    analytic platform which also includes log management with analysis,
>>    dashboards, etc. It's free, open source, but commercial support is
>>    available.
>>    - Logzilla is focused on Cisco network devices and automation but
>>    also works for generic log management. It is commercial software, but a
>>    free version is also available.
>>
>> Of course any time indexing and GUI are involved you need some extra
>> hardware compared syslog-ng, so definitely more expensive even if you go
>> with the free versions.
>>
>> Bye,
>>
>> Peter Czanik (CzP) <peter.czanik at oneidentity.com>
>> Balabit (a OneIdentity company) / syslog-ng upstream
>> https://syslog-ng.com/community/
>> https://twitter.com/PCzanik
>>
>> ------------------------------
>> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal,
>> Laszlo <vlad at vlad.hu>
>> *Sent:* Tuesday, September 17, 2019 9:16 AM
>> *To:* Syslog-ng users' and developers' mailing list <
>> syslog-ng at lists.balabit.hu>
>> *Subject:* [syslog-ng] a bit [offtopic] but may not. syslog search
>> solution for free
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> follow guidance, click links, or open attachments unless you recognize the
>> sender and know the content is safe.
>>
>> Hi,
>>
>> Our new central syslog collect&store system are almost complete and
>> finally it is based on Syslog-ng OSE. The only issue I want to solve, is
>> how to present those logs to the users. Originally I thought it would be
>> enough if they will get the directories as NFS exports and they can use
>> their favourite grep to search files, but I thought maybe I can implement
>> some more user friendly solution.
>>
>> In the planning phase of the project, I've tested various solutions
>> including Graylog, ELK and of course I'm aware of the beauty of SSB :) ,
>> but all of these solutions are too expensive for this project.
>>
>> Then I thought maybe if I forward the logs to some database (SQL or
>> noSQL) I can try to find some very simple frontend for that DB provides a
>> simple search interface for those logs. Nothing fancy is required, but AD
>> auth should be an option.
>>
>> I'm sure I'm not the only one facing this issue, so I hope someone in the
>> community can share some previous experience on this
>>
>> Thanks
>> Vlad
>>
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
> ---------- Forwarded message ----------
> From: Fabien Wernli <wernli at in2p3.fr>
> To: "Syslog-ng users' and developers' mailing list" <
> syslog-ng at lists.balabit.hu>
> Cc:
> Bcc:
> Date: Tue, 17 Sep 2019 11:05:18 +0200
> Subject: Re: [syslog-ng] a bit [offtopic] but may not. syslog search
> solution for free
> On Tue, Sep 17, 2019 at 10:55:04AM +0200, Pal, Laszlo wrote:
> > Thanks for the answers. So, I definitely need an onprem solution and yes,
> > Elastic is a good idea, however based on my previous research even the OS
> > version is restricted to some amount of daily log. Maybe I'm wrong and in
>
> It's not. By all means grab the -oss packages, they don't contain any
> non-free code.
>
>
>
>
>
> ---------- Forwarded message ----------
> From: "Attila Szakacs (aszakacs)" <Attila.Szakacs at oneidentity.com>
> To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
> Cc:
> Bcc:
> Date: Tue, 17 Sep 2019 10:57:14 +0000
> Subject: Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
> Hi Raghu,
>
> Currently we are not sending SNI extension in the Client Hello message.
> However, I made a PR to implement this:
> https://github.com/balabit/syslog-ng/pull/2930
>
> Can you build syslog-ng from source? It would be great, if you tested the
> PR.
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Tuesday, September 17, 2019 9:05 AM
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi,
>
> I am using TLS over TCP connection to forward my syslog events to a remote
> server.
> My remote server uses SNI (Server Name Identification) to route
> connections/events to one of the available backend servers.
>
> I observe that syslog-ng doesn't send SNI during TLS handshake.
>
> How can I enable it?
>
> My configuration is as follows:
>
> ===================================
> source s_net { syslog(transport(udp) port(1514)); };
> destination d_tcp {
>         tcp(
>                 "XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358265020&sdata=sTv8kJpxK%2FDNONaBFcNArgPiZ8ZbBFuyIHKwfL1Yn7w%3D&reserved=0>
> "
>                 port(96)
>                 tls(
>                         peer-verify(required-untrusted)
>                         ca_dir("/etc/syslog-ng/ssl")
>
> key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
>
> cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
>                   )
>         );
> };
> log {
>         source(s_net);
>         destination(d_tcp);
> };
> ===================================
>
> I want syslog-ng to send XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358275016&sdata=ugyIt85VhK6%2FEoZVAJ%2B2gLnPfr7M5n2%2FMHqR0hcuGto%3D&reserved=0>
> as SNI to my remote server
>
> Please advise
>
> Thanks
> Raghu
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190917/9c6b7c92/attachment-0001.html>


More information about the syslog-ng mailing list