[syslog-ng] Filter matching not working

Saqib M saqib.m at cummins.com
Thu Dec 3 15:26:41 UTC 2020


Thank you for getting back on this. I am using the following command but I don't see the parsing logs.

/opt/syslog-ng/sbin/syslog-ng -e -F -d -v -t

This is what I saw.

[2020-12-03T15:03:06+0000] Incoming log entry; source='s_net#0', line='default send string'
[2020-12-03T15:03:06+0000] Filter rule evaluation begins; filter_rule='f_discreg'
[2020-12-03T15:03:06+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-03T15:03:06+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_discreg'
[2020-12-03T15:03:06+0000] Filter rule evaluation begins; filter_rule='f_dlptracker'
[2020-12-03T15:03:06+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-03T15:03:06+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_dlptracker'
[2020-12-03T15:03:06+0000] Outgoing message; destination='d_fallback#0', message='2020-12-03T15:03:06+00:00 172.17.236.3 default send string\x0a'

Also, the f_discreg is in a log path.
log { source(s_net); filter(f_discreg); destination(d_discard); flags(final); };

Could there be other ways to look into it a bit further to see what's going wrong?

Thank you

Regards,

Saqib M
Cybersecurity Co-op
Global Cybersecurity Technologies
Email: saqib.m at cummins.com<mailto:saqib.m at cummins.com>
Cummins Inc.

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Gabor Nagy (gnagy)
Sent: Thursday, December 3, 2020 3:17 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Filter matching not working


External Sender
Hello!

I just took a quick look on the config and on the internal logs. Couldn't be that "f_discreg" is not included in a log path?

Another thing that could be is parsing: your "s_net" source will try to parse incoming messages as either BSD or Syslog format.
If you've just tested the filter by sending in the message "default send string", then syslog-ng will parse it, which results that MSG macro will not contain "default send string".
With trace level logging you can debug how does the message being parsed (-t command line option), and to disable parsing on the source side use the flags("no-parse") option.

See an example:
[2020-12-03T09:14:51.016256] Incoming log entry; line='default send string'
[2020-12-03T09:14:51.016290] Initial message parsing follows;
[2020-12-03T09:14:51.016322] Setting value; name='PROGRAM', value='default', msg='0x7f24a8005f30'
[2020-12-03T09:14:51.016334] Setting value; name='LEGACY_MSGHDR', value='default ', msg='0x7f24a8005f30'
[2020-12-03T09:14:51.016341] Setting value; name='MESSAGE', value='send string', msg='0x7f24a8005f30'


Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Saqib M <saqib.m at cummins.com<mailto:saqib.m at cummins.com>>
Sent: Thursday, December 3, 2020 1:48
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Filter matching not working

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Greetings -



I have been trying to create a very basic filter that looks up a string in the incoming log. However, it would not match any filter and would go to the default filter. I have tried both match() and message(), neither worked for me. Please let me know if you think I am missing something.



Following are the chunks from the syslog-ng.conf



source s_net {

# All syslog traffic on port 514 - this is direct from network devices.

        udp(port (514));

        network(transport("tcp") max-connections(20000) log_iw_size(100000000) ); # tags("fortigate", "cisco", "default") );

};



filter f_discreg { message("default send string")  };



log { source(s_net); filter(f_dlptracker); destination(d_dlptracker); flags(final); };



Here is the log from the test I ran.



[2020-12-02T22:00:36+0000] Incoming log entry; source='s_net#0', line='default send string'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'

[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_tanium'

[2020-12-02T22:00:46+0000] Filter rule evaluation begins; filter_rule='f_palo_alto'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'

[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_palo_alto'

[2020-12-02T22:00:46+0000] Filter rule evaluation begins; filter_rule='f_dlptracker'

[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'

[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_dlptracker'

[2020-12-02T22:00:46+0000] Outgoing message; destination='d_fallback#0', message='2020-12-02T22:00:46+00:00 172.17.236.3 default send string\x0a'



Regards,



Saqib M

Cybersecurity Co-op

Global Cybersecurity Technologies

Email: saqib.m at cummins.com<mailto:saqib.m at cummins.com>

Cummins Inc.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201203/2596637c/attachment.html>


More information about the syslog-ng mailing list