Fabien Wernli | 22 Nov 17:01 2014
Picon
Picon

Re: Remote tags

Hi Nikolay,

On Fri, Nov 21, 2014 at 04:31:58PM -0500, Nikolay P wrote:
> Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log
message to a remote syslog-ng and use this tags() in a filter on the remote machine?

This is not possible to send the contents of the TAGS macro using standard
(rfc3164) syslog. However you could send them over using format-json, or
using the new ietf (rfc5424) syslog by including it into structured data
(SDATA).

Here's the quote from the PE doc:

"Note that the tags are not part of the log message and are not
automatically transferred from a client to the server. For example, if a
client uses a pattern database to tag the messages, the tags are not
transferred to the server. A way of transferring the tags is to explicitly
add them to the log messages using a template and the ${TAGS} macro, or to
add them to the structured metadata part of messages when using the
IETF-syslog message format.
When sent as structured metadata, it is possible to reference to the list of
tags on the central server, and for example, to add them to a database
column."

Cheers

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
(Continue reading)

Czanik, Péter | 19 Nov 15:23 2014

syslog-ng 3.6.1 packages

Hi,
Recently many people asked me in public and private about syslog-ng
3.6.1 packages. To make my life easier, I put together a blog about
the current situation. It's available at
https://czanik.blogs.balabit.com/2014/11/syslog-ng-ose-3-6-1-packages/
Bye,
Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Jason Long | 18 Nov 12:27 2014
Picon

How can I add multi server in my Syslog-ng Configuration?

Hello all.
How are you?
I have a windows sever with Syslog agent installed on it and it forward all logs to my Linux box. My Syslog-NG collected it very well but I want to forward my Access point log to syslog-ng too. My Syslog-NG configuration is :

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_netsyslog {
        udp(ip(0.0.0.0) port(514) flags(no-hostname));
        tcp(ip(0.0.0.0) port(514) flags(no-hostname));
};

destination d_netsyslog { file("/var/log/network.log" owner("root") group("root") perm(0644)); };

log { source(s_netsyslog); destination(d_netsyslog); };


as you see it collect Syslog from any IP address but why my Syslog-ng can't receive Access point log?

Cheers.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Jason Long | 14 Nov 08:11 2014
Picon

What is the main reason for forward Windows Logs to Linux Box?

Hello Folks.
How are you?
I have a question and Please accept my apology if it is silly. I forward Windows Log via Snare into my Linux box, But Can I ask why a network admin do it? Why some people don't use Windows Log program? I received all Windows Logs in Linux with Windows Audit and I don't know how can I analysis it easily!!!

Cheers.
div>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 7 Nov 15:58 2014

syslog-ng 3.7.0alpha1 is released

Hi,

We are proud to announce that syslog-ng 3.7.0alpha1 is released.

This is the first alpha release of the syslog-ng OSE 3.7
branch.

Changes compared to the latest stable release (3.6.1):

Features

It is possible to create templates without braces.

User defined template-function support added.
User can define template functions in her/his configuration the same
way she/he would define a template.

$(format-cim) template function added into an SCL module.

A new choice for inherit-properties implemented that will merge
all name-value pairs into the new synthetic message, with the most recent
being beferred over older values.

Developer notes

Added implementation for user-defined template functions. A new API
added, user_template_function_register() that allows registering a
LogTemplate instance as a template function, dynamically.

Credits

syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessarily to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Andras Mitzki, Balazs Scheidler, Fabien Wernli, Gergely Nagy, Laszlo Budai,
Peter Czanik, Viktor Juhasz, Viktor Tusa

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 6 Nov 11:57 2014

insider 2014-11: 3.6.1 released; JSON; SSB 4LTS; TLS mutual auth; PE 5F2;

Dear syslog-ng users,

This is the 38th issue of the syslog-ng Insider, a monthly newsletter
that brings you syslog-ng-related news.

FEATURED NEWS

syslog-ng 3.6.1 released

------------------------

We are proud to announce that culminating almost a year’s worth of
development, syslog-ng 3.6.1 has been released! This is the first
stable release from the 3.6 branch, the successor to 3.5, which was
originally released in November, 2013.

Read more about the highlights of this release at
https://czanik.blogs.balabit.com/2014/10/syslog-ng-3-6-1-is-released/
or all the technical details at
https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.6.1

Sending JSON formatted messages with syslog-ng

----------------------------------------------

The use of name-value pairs greatly enhances the usability of
collected logs. There are many ways in syslog-ng to turn log messages
into name-value pairs: parsers. From this post you can learn how to
parse log messages using syslog-ng and send the resulting name-value
pairs in JSON format to Loggly. Read our guest blog at
https://www.loggly.com/blog/sending-json-format-logs-syslog-ng/

This article focuses on JSON and Loggly, but once your logs are
parsed, name-value pairs can also be sent to Graphite, Riemann, Redis,
AMQP, MongoDB, and so on.

SSB 4LTS is released

--------------------

One of the products building on the foundations of the open source
syslog-ng is SSB (syslog-ng Store Box). It provides a complete log
management solution with a web interface based on syslog-ng. The new
long term support release comes with many new features and performance
improvements.

Read more at https://jluby.blogs.balabit.com/2014/10/30/syslog-ng-store-box-4lts-released/

TLS encryption and mutual authentication

----------------------------------------

Configuring TLS encryption and mutual authentication can be a
challenging job as it needs both strong OpenSSL and syslog-ng skills.
This tutorial provides step by step instructions about the necessary
steps: creating certificates using OpenSSL and configuring syslog-ng
to use them. The tutorial was originally published on linux.com:
http://www.linux.com/community/blogs/129-servers/790912-tls-encryption-and-mutual-authentication-using-syslog-ng-open-source-edition
and now also available on balabit.com at
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.6-guides/en/syslog-ng-tutorial-mutual-auth-tls/html-single/index.html

syslog-ng PE 5F2 released

-------------------------

The second feature release of syslog-ng PE is released. The primary
focus is data privacy: anonymization and pseudonymization of incoming
log messages. Other features include journal support, SMTP
destination. Read more about it at
https://jluby.blogs.balabit.com/2014/10/28/introducing-syslog-ng-premium-edition-5f2/

Your feedback and news tips about the next issue is welcome at
documentation <at> balabit.com To read this newsletter on-line, visit:
http://insider.blogs.balabit.com/

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Yalin Aksoy | 5 Nov 16:23 2014

Syslog-ng Drops Logs

We have lots of traffic going through syslog-ng in our system (5000 logs 
per second), so some logs are dropped because of 'log_fifo_size()'.
I've look around the web and found flush-lines and flush-timeout 
methods, but also it failed in every configuration.
Related parts of my syslog-ng conf looks like that at the moment.
"
log_fifo_size(4096);
flush_lines(100);
flush_timeout(1000);
"
If I increase fifo size to ~ 16000 ,syslog-ng consumes too much memory 
for my system to operate.

Is there any other way to stop that leak and what is the best practice 
to use?
Thanks in advance.
-Yalin
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

C. L. Martinez | 5 Nov 14:47 2014
Picon

Launching command with a certain value after extracting it from patterndb

Hi all,

 Is it possible to trigger a command after extracting a field using
patterndb? For example I have the following log:

Nov  4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP
user:mytest IP:1.1.1.1

 With patterndb, I can extract field user with for example, a value of
$user. Can I trigger a command like "cat $user >> /tmp/users.log"
without calling a script??

Thanks.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Gergely Nagy | 5 Nov 08:03 2014

Upcoming changes in unofficial packaging

Hi!

I started packaging syslog-ng 3.6.1 for Debian and Ubuntu, to provide
binaries at the usual[0] location. In the process, I intend to simplify
and clean up the packaging considerably. This also means dropping
support for a few older platforms.

 [0]: http://asylum.madhouse-project.org/projects/debian/

So beginning with 3.6.1, powerpc is going to be dropped, along with
Debian Squeeze, and anything prior to Ubuntu Trusty (14.04) (mind you, I
may need to add back Precise (12.04), for Travis CI). Furthermore, for
Debian Wheezy, one will likely need to use the Debian backports
repository[1] along with mine.

 [1]: http://backports.debian.org/Instructions/

I expect packages to be ready in a few days.

--

-- 
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

bluebenben | 29 Oct 02:16 2014

How can I disable SSLv3 in syslog-ng 3.3.2 client config to sovle CVE-2014-3566(SSLv3 Fallback Vulnerabilit)?

Hi guys

In my project I am using syslog-ng as syslog client and send log via TLS.
We all know that recently there is one new security flaw which is Poodle(CVE-2014-3566 - SSLv3 Fallback Vulnerability)
This requires disabling SSLv3
I have checked admin guide of syslog-ng 3.3.2 but I am able to find the option
Could you please let me know the way?

Alternatively  I think I may achieve the object by disable SSLv3 ciphers used by syslog-ng client
original ciphers used by us is
ALL:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5: <at> STRENGTH
I may change it to
ALL:!SSLv3:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5: <at> STRENGTH
Bug this will make syslog-ng only supports TLS1.2 and cause negative impact to interoperability

Thanks

Jason


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Davide Alberani | 27 Oct 17:39 2014
Picon

improving SQLite writing performances (WAS: Re: inserts into a sqlite3 database are not delayed)

On Wed, Oct 15, 2014 at 10:56 AM, Balazs Scheidler <bazsi77 <at> gmail.com> wrote:
>
> It immediately runs the query, flush_lines() controls the transaction size,
> which can be enabled using
> flags(explicit-commits).

Ok, I see and I can confirm noticeable improvements on a system
under heavy I/O and CPU load using explicit-commits (or better: I see
it gets a lot worse disabling it, since I already had it on ;))

Plus, I'm seeing minor improvements with session_statements set
to "PRAGMA synchronous=OFF; PRAGMA count_changes=OFF;"

Beside this, has anyone found other ways to improve writing performances
using syslog-ng with sqlite?

On (physical) systems with high load, I've noticed that the system is much more
responsive if the elevator is set to noop or deadline instead of cfq.
But I guess this is highly dependent on the specific circumstances of
the system.

Thanks!

--

-- 
Davide Alberani <davide.alberani <at> gmail.com>  [PGP KeyID: 0x465BFD47]
http://www.mimante.net/
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


Gmane