[syslog-ng] filter not working
Lin, Victor
victor.lin at rbc.com
Mon Sep 30 01:19:35 UTC 2019
Dear all,
I don't want forwarding the syslog messages which contain the following to my local syslog, so I setup the filter like below
ISDN-6-CONNECT
ISDN-6-DISCONNECT
changed by user
However the messages contain the above are still show up in my local syslog file ForMe.log
Below is from my syslog-ng.conf
source s_network {
network(
transport("udp")
port(514)
flags(syslog_protocol)
keep_hostname(yes)
keep_timestamp(yes)
use_dns(yes)
use_fqdn(yes)
);
};
destination d_ForMe_logs {
file("/app/syslog-ng/custom/output/ForMe.log");
};
filter f_DoNotSendtoMe {
not match("ISDN-6-CONNECT" value("MESSAGE"));
or
not match("ISDN-6-DISCONNECT" value("MESSAGE"));
or
not match("changed by user" value("MESSAGE"));
};
log {
source(s_network);
filter(f_DoNotSendtoMe);
destination(d_ForMe_logs);
};
Do I missing any confing ?
Thank you so much for your expertize!
VL
-----Original Message-----
From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: 2019, September, 27 12:52 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 173, Issue 33
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: Enable SNI (Server Name Identification) in TLS
connection (Raghunath Adhyapak)
----------------------------------------------------------------------
Message: 1
Date: Fri, 27 Sep 2019 22:22:14 +0530
From: Raghunath Adhyapak <funduraghu at gmail.com>
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Enable SNI (Server Name Identification) in
TLS connection
Message-ID:
<CAEiok=Qrmw-s5r-ttRrQyQ+8CSq0BzdXgfzw+L0GhvR0_w-gUg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I built from source and tested and it worked fine I need Deb package to ease install on my machines. I can wait for some more time.
Raghu
On Fri, Sep 27, 2019, 12:35 Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
wrote:
> If you would like to test before the upcoming release, you can create
> a deb package with our docker based package scripts:
> https://github.com/syslog-ng/syslog-ng/tree/master/dbld
>
> depending on your platform, it would be "dbld/rules deb" or
> "dbld/rules deb-ubuntu-xenial"
>
>
> Regards,
> Gabor
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Thursday, September 26, 2019 15:30
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in
> TLS connection
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> Thanks. Now waiting for Debian package
>
> Raghu
>
> On Thu, Sep 26, 2019, 18:26 Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> Hi Raghu,
>
> It got merged to master! 🙂
> https://github.com/syslog-ng/syslog-ng/pull/2930
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7Cgabor.nag
> y%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e4
> 39c989c1867ec606603%7C0%7C0%7C637051014645449880&sdata=CYEi5latvJWnPQo
> 7xYHa3klvdXiNVyXai5PhV51yVeI%3D&reserved=0>
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Wednesday, September 18, 2019 5:35 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in
> TLS connection
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> That's awesome.
>
> Thanks
> Raghu
>
> On Wed, Sep 18, 2019, 17:05 Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> To the other question: It will be merged on the master branch probably
> in a week.
>
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com>
> *Sent:* Wednesday, September 18, 2019 1:28 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in
> TLS connection
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> Hi Raghu,
>
> You are welcome! Thanks for the good idea.
> If everything goes well, this feature will be released in version
> 3.24, in
> 3-4 weeks.
> The packaging happens at the same time, you will find the 3.24
> installer at
> https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-
> ng/
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdow
> nload.opensuse.org%2Frepositories%2Fhome%3A%2Flaszlo_budai%3A%2Fsyslog
> -ng%2F&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b0
> 7d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014
> 645459869&sdata=krct3nD%2BVSMEQG00R0VJO2D1CeLqITAi8ZNTI7mV1a8%3D&reser
> ved=0>
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Wednesday, September 18, 2019 12:50 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in
> TLS connection
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> Hi Atilla,
>
> I updated the code, compiled it and tested the changes.
> The changes works as expected.
> Thanks for the addressing the issue in such a short time.
>
> Follow-up question:
> When will this change get merged into the master branch?
> Also, when will this get packaged in Debian package?
>
> Thanks
> Raghu
>
> On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> Hi Raghu,
>
> Currently we are not sending SNI extension in the Client Hello message.
> However, I made a PR to implement this:
> https://github.com/balabit/syslog-ng/pull/2930
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fbalabit%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7Cgabor.nagy%
> 40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439
> c989c1867ec606603%7C0%7C0%7C637051014645459869&sdata=IlcWEnngIqkJFPjWv
> S7hrar4Tli4Kqgad5IdN7X5WVc%3D&reserved=0>
>
> Can you build syslog-ng from source? It would be great, if you tested
> the PR.
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Tuesday, September 17, 2019 9:05 AM
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> Hi,
>
> I am using TLS over TCP connection to forward my syslog events to a
> remote server.
> My remote server uses SNI (Server Name Identification) to route
> connections/events to one of the available backend servers.
>
> I observe that syslog-ng doesn't send SNI during TLS handshake.
>
> How can I enable it?
>
> My configuration is as follows:
>
> ===================================
> source s_net { syslog(transport(udp) port(1514)); }; destination d_tcp
> {
> tcp(
> "XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.e
> xample.net&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf4
> 30b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C63705
> 1014645469860&sdata=RTiMaNycpB56zTGx2gmqeFESNI2QO3JvOvSXUyC2MRk%3D&res
> erved=0>
> "
> port(96)
> tls(
> peer-verify(required-untrusted)
> ca_dir("/etc/syslog-ng/ssl")
>
> key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
>
> cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
> )
> );
> };
> log {
> source(s_net);
> destination(d_tcp);
> };
> ===================================
>
> I want syslog-ng to send XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.e
> xample.net&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf4
> 30b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C63705
> 1014645469860&sdata=RTiMaNycpB56zTGx2gmqeFESNI2QO3JvOvSXUyC2MRk%3D&res
> erved=0>
> as SNI to my remote server
>
> Please advise
>
> Thanks
> Raghu
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.na
> gy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e
> 439c989c1867ec606603%7C0%7C0%7C637051014645479861&sdata=gHBU5J5tU99NDH
> J4PwjtxlnS0jVp2Vxh%2BgAuiTsVKaE%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02
> %7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c63
> 9%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645479861&sdat
> a=NmD0lHSiQw0DbM8voUKjVOFX2fSnDwhyqaZvA7%2BBmnA%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneiden
> tity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867
> ec606603%7C0%7C0%7C637051014645489858&sdata=9VaEY4yqC3Y8y0gQZbVY6M0g%2
> F2rhXsfXRlw2%2Fwbik2s%3D&reserved=0>
>
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.na
> gy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e
> 439c989c1867ec606603%7C0%7C0%7C637051014645489858&sdata=EWEYbbHYLIenlm
> GBceeB%2B0pLauNIABFmT0dt6%2F77TUs%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02
> %7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c63
> 9%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645499850&sdat
> a=mVlgDpNt3RVoHdr7ESi2Im89VnA0W7NOjkQbB11V3LM%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneiden
> tity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867
> ec606603%7C0%7C0%7C637051014645499850&sdata=mNe53MBvTKfpkm1a%2FS6rEvCt
> YPwO3Pfjca0jLyPNeqw%3D&reserved=0>
>
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.na
> gy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e
> 439c989c1867ec606603%7C0%7C0%7C637051014645509849&sdata=YUrhyXSF6MkgRf
> RsxlOWqsSBsedoNo8UPb292Y0vTps%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02
> %7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c63
> 9%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645509849&sdat
> a=I2zhc1DPDcvLEShMr4v2V2MgtEZf72oDOvqx%2F607r%2BA%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneiden
> tity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867
> ec606603%7C0%7C0%7C637051014645519834&sdata=eicWBDsPB4aguw98EKqegLs0ZB
> NcHmbifbm8lEFeKF0%3D&reserved=0>
>
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190927/04aa6f04/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
------------------------------
End of syslog-ng Digest, Vol 173, Issue 33
******************************************
_______________________________________________________________________
If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.
Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.
More information about the syslog-ng
mailing list