Jason Long | 26 Nov 12:25 2014
Picon

How can I have Persian and Arabic names in Syslog?

Hello Folks.
How are you?
I installed a Syslog agent on Windows server and some of directories on Windows server are Persian. In Linux box I installed Logstash,Syslog-ng and Kibana but when my Linux receive Logs from Windows server the name shown as "????". How can I solve it?

Cheers.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Lucas, Sascha | 25 Nov 08:34 2014
Picon

Re: Remote tags

Hi Nikolay,

> Could anyone here advice me if it is possible to set a tags() on a log
> entry on one machine, send this log message to a remote syslog-ng and
> use this tags() in a filter on the remote machine?

As Fabien pointed out, it is possible. I'm doing something similar using rfc5424 protocol:

The first thing I do is rewriting the log to append local scoped macro data into the sdata structure (here I'm
using $SOURCEIP, where you want $tags). When I read rfc5424 I remember, that there are custom
data-structures where you can store your tags (I decided to abuse .SDATA.origin.ip for my purpose):

rewrite r_sdata {
        set("$SOURCEIP" value(".SDATA.origin.ip"));
};

The second thing is to use the syslog-driver (capable of sending and receiving rfc5424):

destination d_logserver { syslog("X.X.X.X" transport("udp")); };

And finely the log line

log { source(s_network); source(src); rewrite(r_sdata); destination(d_logserver); };

On the server I have a source capable of rfc5424:

source s_network { syslog( transport("udp") flags(validate-utf8) so-rcvbuf(2097152)); };

The transferred Information is directly available on the server in the macro ${.SDATA.origin.ip}. Your
tags may be a bit special, because multiple tags would be transferred as a comma separated string.
Matching on a single tag would probably mean to rewrite the log again. This time with something like
set("${.SDATA.your.structure}. " value("tags"));.

HTH, Sascha.

Aufsichtsratsvorsitzender: Herbert Vogel
Geschäftsführung: Michael Krüger
Sitz der Gesellschaft: Halle/Saale
Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414
UST-ID-Nr. DE 158253683

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der
richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort
den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht
gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und
die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der
bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die
GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Gergely Nagy | 24 Nov 07:59 2014

Re: SQL escaping

>>>>> "Nikolay" == Nikolay P <nikolay.p <at> cos.flag.org> writes:

    Nikolay> Is there anything I can do from the syslog-ng side of
    Nikolay> things to close this XSS vulnerability or I have to deal
    Nikolay> with it in my Web application?

You can apply rewrite rules that replace "<" with "&lt;", for example,
but that's more a workaround than a solution. It is the web app that you
will have to teach to sanitize its input, if you want to avoid such
vulnerabilities.

--

-- 
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Fabien Wernli | 22 Nov 17:01 2014
Picon
Picon

Re: Remote tags

Hi Nikolay,

On Fri, Nov 21, 2014 at 04:31:58PM -0500, Nikolay P wrote:
> Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log
message to a remote syslog-ng and use this tags() in a filter on the remote machine?

This is not possible to send the contents of the TAGS macro using standard
(rfc3164) syslog. However you could send them over using format-json, or
using the new ietf (rfc5424) syslog by including it into structured data
(SDATA).

Here's the quote from the PE doc:

"Note that the tags are not part of the log message and are not
automatically transferred from a client to the server. For example, if a
client uses a pattern database to tag the messages, the tags are not
transferred to the server. A way of transferring the tags is to explicitly
add them to the log messages using a template and the ${TAGS} macro, or to
add them to the structured metadata part of messages when using the
IETF-syslog message format.
When sent as structured metadata, it is possible to reference to the list of
tags on the central server, and for example, to add them to a database
column."

Cheers

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 19 Nov 15:23 2014

syslog-ng 3.6.1 packages

Hi,
Recently many people asked me in public and private about syslog-ng
3.6.1 packages. To make my life easier, I put together a blog about
the current situation. It's available at
https://czanik.blogs.balabit.com/2014/11/syslog-ng-ose-3-6-1-packages/
Bye,
Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Jason Long | 18 Nov 12:27 2014
Picon

How can I add multi server in my Syslog-ng Configuration?

Hello all.
How are you?
I have a windows sever with Syslog agent installed on it and it forward all logs to my Linux box. My Syslog-NG collected it very well but I want to forward my Access point log to syslog-ng too. My Syslog-NG configuration is :

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_netsyslog {
        udp(ip(0.0.0.0) port(514) flags(no-hostname));
        tcp(ip(0.0.0.0) port(514) flags(no-hostname));
};

destination d_netsyslog { file("/var/log/network.log" owner("root") group("root") perm(0644)); };

log { source(s_netsyslog); destination(d_netsyslog); };


as you see it collect Syslog from any IP address but why my Syslog-ng can't receive Access point log?

Cheers.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Jason Long | 14 Nov 08:11 2014
Picon

What is the main reason for forward Windows Logs to Linux Box?

Hello Folks.
How are you?
I have a question and Please accept my apology if it is silly. I forward Windows Log via Snare into my Linux box, But Can I ask why a network admin do it? Why some people don't use Windows Log program? I received all Windows Logs in Linux with Windows Audit and I don't know how can I analysis it easily!!!

Cheers.
div>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 7 Nov 15:58 2014

syslog-ng 3.7.0alpha1 is released

Hi,

We are proud to announce that syslog-ng 3.7.0alpha1 is released.

This is the first alpha release of the syslog-ng OSE 3.7
branch.

Changes compared to the latest stable release (3.6.1):

Features

It is possible to create templates without braces.

User defined template-function support added.
User can define template functions in her/his configuration the same
way she/he would define a template.

$(format-cim) template function added into an SCL module.

A new choice for inherit-properties implemented that will merge
all name-value pairs into the new synthetic message, with the most recent
being beferred over older values.

Developer notes

Added implementation for user-defined template functions. A new API
added, user_template_function_register() that allows registering a
LogTemplate instance as a template function, dynamically.

Credits

syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessarily to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Andras Mitzki, Balazs Scheidler, Fabien Wernli, Gergely Nagy, Laszlo Budai,
Peter Czanik, Viktor Juhasz, Viktor Tusa

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 6 Nov 11:57 2014

insider 2014-11: 3.6.1 released; JSON; SSB 4LTS; TLS mutual auth; PE 5F2;

Dear syslog-ng users,

This is the 38th issue of the syslog-ng Insider, a monthly newsletter
that brings you syslog-ng-related news.

FEATURED NEWS

syslog-ng 3.6.1 released

------------------------

We are proud to announce that culminating almost a year’s worth of
development, syslog-ng 3.6.1 has been released! This is the first
stable release from the 3.6 branch, the successor to 3.5, which was
originally released in November, 2013.

Read more about the highlights of this release at
https://czanik.blogs.balabit.com/2014/10/syslog-ng-3-6-1-is-released/
or all the technical details at
https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.6.1

Sending JSON formatted messages with syslog-ng

----------------------------------------------

The use of name-value pairs greatly enhances the usability of
collected logs. There are many ways in syslog-ng to turn log messages
into name-value pairs: parsers. From this post you can learn how to
parse log messages using syslog-ng and send the resulting name-value
pairs in JSON format to Loggly. Read our guest blog at
https://www.loggly.com/blog/sending-json-format-logs-syslog-ng/

This article focuses on JSON and Loggly, but once your logs are
parsed, name-value pairs can also be sent to Graphite, Riemann, Redis,
AMQP, MongoDB, and so on.

SSB 4LTS is released

--------------------

One of the products building on the foundations of the open source
syslog-ng is SSB (syslog-ng Store Box). It provides a complete log
management solution with a web interface based on syslog-ng. The new
long term support release comes with many new features and performance
improvements.

Read more at https://jluby.blogs.balabit.com/2014/10/30/syslog-ng-store-box-4lts-released/

TLS encryption and mutual authentication

----------------------------------------

Configuring TLS encryption and mutual authentication can be a
challenging job as it needs both strong OpenSSL and syslog-ng skills.
This tutorial provides step by step instructions about the necessary
steps: creating certificates using OpenSSL and configuring syslog-ng
to use them. The tutorial was originally published on linux.com:
http://www.linux.com/community/blogs/129-servers/790912-tls-encryption-and-mutual-authentication-using-syslog-ng-open-source-edition
and now also available on balabit.com at
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.6-guides/en/syslog-ng-tutorial-mutual-auth-tls/html-single/index.html

syslog-ng PE 5F2 released

-------------------------

The second feature release of syslog-ng PE is released. The primary
focus is data privacy: anonymization and pseudonymization of incoming
log messages. Other features include journal support, SMTP
destination. Read more about it at
https://jluby.blogs.balabit.com/2014/10/28/introducing-syslog-ng-premium-edition-5f2/

Your feedback and news tips about the next issue is welcome at
documentation <at> balabit.com To read this newsletter on-line, visit:
http://insider.blogs.balabit.com/

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Yalin Aksoy | 5 Nov 16:23 2014

Syslog-ng Drops Logs

We have lots of traffic going through syslog-ng in our system (5000 logs 
per second), so some logs are dropped because of 'log_fifo_size()'.
I've look around the web and found flush-lines and flush-timeout 
methods, but also it failed in every configuration.
Related parts of my syslog-ng conf looks like that at the moment.
"
log_fifo_size(4096);
flush_lines(100);
flush_timeout(1000);
"
If I increase fifo size to ~ 16000 ,syslog-ng consumes too much memory 
for my system to operate.

Is there any other way to stop that leak and what is the best practice 
to use?
Thanks in advance.
-Yalin
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

C. L. Martinez | 5 Nov 14:47 2014
Picon

Launching command with a certain value after extracting it from patterndb

Hi all,

 Is it possible to trigger a command after extracting a field using
patterndb? For example I have the following log:

Nov  4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP
user:mytest IP:1.1.1.1

 With patterndb, I can extract field user with for example, a value of
$user. Can I trigger a command like "cat $user >> /tmp/users.log"
without calling a script??

Thanks.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


Gmane