From Peter.Czanik at oneidentity.com Thu Dec 5 09:10:59 2024 From: Peter.Czanik at oneidentity.com (Peter Czanik (pczanik)) Date: Thu, 5 Dec 2024 09:10:59 +0000 Subject: [syslog-ng] The syslog-ng Insider 2024-12: FreeBSD audit; 4.8.1; conferences Message-ID: Dear syslog-ng users, This is the 126th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news. NEWS FreeBSD audit source for syslog-ng ---------------------------------- Two weeks ago, I was at EuroBSDcon and received a feature request for syslog-ng. The user wanted to collect FreeBSD audit logs together with other logs using syslog-ng. Writing a native driver in C is time consuming. However, creating an integration based on the program() source of syslog-ng is not that difficult. This blog shows you the current state of the FreeBSD audit source, how it works, and its limitations. It is also a request for feedback. https://www.syslog-ng.com/community/b/blog/posts/freebsd-audit-source-for-syslog-ng Version 4.8.1 of syslog-ng is now available ------------------------------------------- Version 4.8.1 was released recently. As you could guess from the version number change, it is primarily a bug fix release, but some minor features also slipped in. From this blog, you can learn what changed in syslog-ng 4.8.1 and where you can get its latest stable version. https://www.syslog-ng.com/community/b/blog/posts/version-4-8-1-of-syslog-ng-is-now-available Where should I present syslog-ng and sudo? ------------------------------------------ Recently I was asked the same question both at my workplace and at EuroBSDCon, the conference where I was presenting: where do you talk next? I had no definite answer. Of course, I am looking forward to the FOSDEM CfP, but I am also looking for new conferences to present syslog-ng and sudo. Do you have any recommendations? https://www.syslog-ng.com/community/b/blog/posts/where-should-i-present-syslog-ng-and-sudo WEBINARS * New webinar: ?Performance tuning for syslog-ng deployments?. You can register for it at https://www.syslog-ng.com/event/performance-tuning-for-syslog-ng-deployments/ * You can learn about upcoming webinars and browse recordings of past webinars at https://www.syslog-ng.com/events/ Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/ Peter Czanik (CzP) Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik From shivani.maurya at intel.com Wed Dec 11 12:47:29 2024 From: shivani.maurya at intel.com (Maurya, Shivani) Date: Wed, 11 Dec 2024 12:47:29 +0000 Subject: [syslog-ng] Syslog server chaining issue Message-ID: Hi All, I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server. Device --> Syslog Server 1 --> Syslog Server 2 The configurations of 1st syslog server - Options - keep-hostname(yes); use-dns(yes); use-fqdn(yes); Destination - destination d_sec { udp("IP_of_second_syslog" port(514) template("${ISODATE} ${HOST} ${PRIORITY} ${MSG}\n") template-escape(no)); }; The configuration of 2nd syslog server - destination d_syslogFile { file("/var/log/syslog.log" template("${R_ISODATE} ${HOST} ${PRIORITY} ${FACILITY} ${PROGRAM} ${MSG}\n") template-escape(no)); }; Problem - When the syslog message is getting logged at 2nd Syslog server, the ${PRIORITY} of the message is always "notice". And the original severity/priotity of the message is getting captured in the ${PROGRAM} macro. How to capture the priority of the forwarded message on 2nd Syslog server in the ${PRIORITY} macro instead of ${PROGRAM} macro? Regards, Shivani Maurya -------------- next part -------------- An HTML attachment was scrubbed... URL: From wernli at in2p3.fr Wed Dec 11 14:40:27 2024 From: wernli at in2p3.fr (Fabien Wernli) Date: Wed, 11 Dec 2024 15:40:27 +0100 Subject: [syslog-ng] Syslog server chaining issue In-Reply-To: References: Message-ID: Hi, On 2024-12-11 12:47:29, Maurya, Shivani wrote: > Hi All, > > I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server. > > Device --> Syslog Server 1 --> Syslog Server 2 I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng. https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README From shivani.maurya at intel.com Thu Dec 12 06:35:45 2024 From: shivani.maurya at intel.com (Maurya, Shivani) Date: Thu, 12 Dec 2024 06:35:45 +0000 Subject: [syslog-ng] Syslog server chaining issue In-Reply-To: References: Message-ID: Thanks for the response. The format mentioned in the admin guide for 1st syslog server is resulting in failure of syslog-ng service, hence I modified it to make sure the syslog-ng service starts. On the 1st syslog server, I added the syslog destination as - destination d_ewmm { syslog("secondary_IP"); }; On 2nd syslog server, default-network-drivers(); option is not working. Hence, I am trying to capture the syslog messages like - source src { network(transport(udp) ip(secondary_IP) port(514)); }; But the issue still persists, no change in the message format. Regards, Shivani Maurya -----Original Message----- From: syslog-ng On Behalf Of Fabien Wernli Sent: Wednesday, December 11, 2024 8:10 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog server chaining issue Hi, On 2024-12-11 12:47:29, Maurya, Shivani wrote: > Hi All, > > I am using 2 syslog servers on version 3.31. The devices are sending syslog message to 1st syslog server. The 1st syslog server is forwarding the same message to 2nd syslog server. > > Device --> Syslog Server 1 --> Syslog Server 2 I would suggest that you use the syslog-ng() destination so you don't have to worry about your udp template being reinterpreted poorly by the second syslog-ng. https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq From bazsi77 at gmail.com Thu Dec 12 08:02:27 2024 From: bazsi77 at gmail.com (Balazs Scheidler) Date: Thu, 12 Dec 2024 09:02:27 +0100 Subject: [syslog-ng] Syslog server chaining issue In-Reply-To: References: Message-ID: If you supply the template() option on the first server, that change the format the protocol expects. So you need to use the standard template and then reformat it to your needs on the 2nd, by using template there. The reason the $program captured the severity value as you were using $SEVERITY in the position where the normal syslog format expects the program name. The syslog-ng() driver Fabien mentioned requires you to include scl.conf which is the syslog-ng configuration library. On Thu, Dec 12, 2024, 07:43 Maurya, Shivani wrote: > Thanks for the response. > > The format mentioned in the admin guide for 1st syslog server is resulting > in failure of syslog-ng service, hence I modified it to make sure the > syslog-ng service starts. > On the 1st syslog server, I added the syslog destination as - > > destination d_ewmm { > syslog("secondary_IP"); > }; > > On 2nd syslog server, default-network-drivers(); option is not working. > Hence, I am trying to capture the syslog messages like - > > source src { > network(transport(udp) ip(secondary_IP) port(514)); > > }; > > But the issue still persists, no change in the message format. > > Regards, > Shivani Maurya > > -----Original Message----- > From: syslog-ng On Behalf Of Fabien > Wernli > Sent: Wednesday, December 11, 2024 8:10 PM > To: Syslog-ng users' and developers' mailing list < > syslog-ng at lists.balabit.hu> > Subject: Re: [syslog-ng] Syslog server chaining issue > > Hi, > > On 2024-12-11 12:47:29, Maurya, Shivani wrote: > > Hi All, > > > > I am using 2 syslog servers on version 3.31. The devices are sending > syslog message to 1st syslog server. The 1st syslog server is forwarding > the same message to 2nd syslog server. > > > > Device --> Syslog Server 1 --> Syslog Server 2 > > I would suggest that you use the syslog-ng() destination so you don't have > to worry about your udp template being reinterpreted poorly by the second > syslog-ng. > > > https://syslog-ng.github.io/admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages > > https://syslog-ng.github.io/admin-guide/070_Destinations/310_syslog-ng/README > > https://syslog-ng.github.io/admin-guide/060_Sources/000_Default-network-drivers/README > > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > > -------------- next part -------------- An HTML attachment was scrubbed... URL: