mona | 24 Jul 01:01 2015
Picon

csv-parser deactivate default_flags strip_whitespaces

Dear all,

How do I deactivate in the csv-parsers that the default flag setting includes stripping whitespace in Line 37?
https://github.com/balabit/syslog-ng/blob/syslog-ng-3.7.0beta2/modules/csvparser/csvparser.h

Kind regards,
Mona
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Clayton Dukes | 23 Jul 17:33 2015
Picon

Syslog-ng v3.5.3 - Core dump from a certain incoming message?

Has anyone seen this or know what may be causing it? When I run a stack trace, I can see that this host causes syslog-ng to crash every time it sends a message

I've run a couple of tcpdumps and it *seems* to be caused by an ARP request from a Cyclades box. This seems very odd to me of course.

10 130.085308 Cyclades_01:be:4b SuperMic_9a:58:be ARP 60 Who has x.x.188.52?  Tell x.x.188.11

The *only* other packets from that host are repeated so they don't seem to be the cause:

4 1.000259 x.x.188.11 x.x.188.52 Syslog 257 LOCAL0.NOTICE: Jul 23 11:04:05 src_dev_log <at> ACS-01 Buffering: S12.Server-Farm-6509-01 [Jul 23 11:04:03.267 EDT: %MCAST-SP-3-QUERY_INT_MISMATCH: Snooping Querier received a non-matching query interval (125000 msec),]\n

[pid 28379] recvfrom(9, "<133>Jul 23 10:19:58 src_dev_log"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(3284), sin_addr=inet_addr("x.x.188.11")}, [16]) = 181
[pid 28379] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
[pid 28379] mprotect(0x7f956c346000, 12288, PROT_READ|PROT_WRITE) = 0
[pid 28379] write(2, "**\nERROR:../../lib/logmsg.c:535:"..., 114) = 114
[pid 28379] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
[pid 28379] tgkill(28374, 28379, SIGABRT) = 0
[pid 28379] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=28374, si_uid=0} ---
[pid 28379] +++ killed by SIGABRT (core dumped) +++
[pid 28434] +++ killed by SIGABRT (core dumped) +++
[pid 28428] +++ killed by SIGABRT (core dumped) +++
+++ killed by SIGABRT (core dumped) +++


______________________________________________________________

Clayton Dukes
______________________________________________________________
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Budai, László | 20 Jul 13:02 2015

syslog-ng GSoC IRC event

 Hi,

after midterm, we will have an IRC meeting.

Participants: mainly students and mentors, and of course anyone else who are interested in :-)

Topics:
* Where are we now? Status updates on projects.
* Talking about on how to share your results with community.
(online demos, blogs, whatever...)

DATE:
Tue 7/21/15 4:00 PM – 5:00 PM
Time zone: Budapest

regards,
Laszlo Budai

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

ZeroUno | 17 Jul 12:30 2015
Picon

Behaviour with unavailable TCP destination

Hello,
I was wondering what happens when you define a tcp() destination in 
syslog-ng.conf and then the destination is temporarily not available.
I was not able to find the answer in the docs.

Are any messages lost?
Or are they kept somewhere and sent again when the destination becomes 
available again?

Thank you.

--

-- 
01

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Saurabh Shukla | 16 Jul 22:43 2015

Using FIPS complaint OpenSSL with syslog-ng OSE

Hi,

I see that syslog-ng OSE uses OpenSSL libraries for TLS support.

If my system has FIPS complaint OpenSSL installed, will syslog-ng OSE use those FIPS compliant libraries for TLS support? Do I need any change in the syslog-ng OSE's configuration for this?

Thanks,
-- Saurabh Shukla
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Peter Flood | 13 Jul 08:44 2015

Host/port from environment variables

Hi

I'm trying configure syslog-ng, I'd like to be able to use environment 
variables for host & port. I've tried the ones that work in the template 
formatter but it's not working (not suprisingly). Is there another way?

destination d_my_dest {
     tcp("$(env MY_HOST)" port($(env MY_PORT))  # this doesn't work as 
you can't get env vars unless in a template
     tls(peer-verify(required-untrusted) ca_dir("/etc/syslog-ng/cert.d"))
     template(myTemplate));
};

Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Russell Fulton | 6 Jul 06:12 2015
Picon
Picon

Trying to get json out of 3.7beta2

Hi

Thanks to various folks I managed to build 3.7b2 with json.

I am now trying to convert my ELSA config to produce a parsed output in json that I can feed into Elastic Search.

Having failed to make my full config work (I had to try ;) so I tried a basic one based on 
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/json-parser.html

[ Aside: minor syntax error on this page — lnside log {} you can not name parser elements ]

here is my conf:

 <at> version: 3.7

source s_json {     network(port(1514) flags(no-parse)); };

destination d_json {    file("/data/russell/test.json”         template("$(format-json --scope
dot-nv-pairs)\n")); };

log {
    source(s_json);
    parser  {        json-parser (prefix(".json."));    };
    destination(d_json);
};

I get no output and ‘stats’ shows:

[rful011 <at> secmgrprd01 ~]$ sudo /usr/local/syslog-ng/sbin/syslog-ng-ctl stats
SourceName;SourceId;SourceInstance;State;Type;Number
src.none;;;a;processed;0
src.none;;;a;stamp;0
source;s_json;;a;processed;19375
global;payload_reallocs;;a;processed;25710
global;msg_clones;;a;processed;0
destination;d_json;;a;processed;0
center;;queued;a;processed;0
global;sdata_updates;;a;processed;0
center;;received;a;processed;19375
global;internal_queue_length;;a;processed;19378

Which is the same as I get with my full config with lots of patterns.

As usual am missing something basic!

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Russell Fulton | 5 Jul 08:47 2015
Picon
Picon

configure for beta 2 not finding jsonc on RHEL 6

Hi

I have installed the libjson-devel package via yum but ./configure says:

checking for JSON: no

the library is in /lib64 and headers in /usr/include/json-c/

I can’t figure out what configure options I need to get this to work.

Thanks, Russell

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Arsenault, Adam | 2 Jul 15:43 2015

Problems trying to compile syslog-ng 3.6.4 on Solaris 11.2 (SPARC)

With this patch, syslog-ng 3.6.4 compiles on Solaris 11.2 (X86-64). It will work on SPARC as well.

https://github.com/balabit/syslog-ng/pull/543

-Adam Arsenault
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 26 Jun 18:37 2015

3.7beta2 packages for openSUSE / SLES

Hi,

My unofficial syslog-ng 3.7 beta2 packages for openSUSE / SLES are now available, at this time completely untested (I'm sitting at a conference right now... :-) ). They are available at the usual location:

https://build.opensuse.org/package/show/home:czanik:syslog-ng37/syslog-ng

Python support failed to build on SLES11 (most likely missing pkg-config information for python) and java failed in post build checks...

Have a nice weekend!

Bye,

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Budai, László | 26 Jun 15:28 2015

syslog-ng 3.7.0beta2

3.7.0beta2

This is the second beta release of the upcoming syslog-ng OSE 3.7
branch.

Changes compared to the previous alpha release:

Features

  • Added a geoip parser.

  • ssl_options inside tls() extended with the following set:
    no-sslv2, no-sslv3, no-tlsv1, no-tlsv11, no-tlsv12

  • minimal libriemann-client version bumped from 1.0.0 to 1.6.0

  • TLS support added to Riemann destination

  • timeout() option added to Riemann destination

Fixes

  • SyslogNg.jar removed from the release tarball.

  • When the configured host was not available during the initialization of
    afsocket destination syslog-ng just didn't start. From now, syslog-ng
    starts in that case and will retry connecting to the host periodically.

  • When a not writeable file becomes writeable later, syslog-ng recognize it
    (with the help of reopen-timer) and delivers messages to the file without
    dropping those which were received during the file was not available.

  • Fixed a configure error around libsystemd-journal.

  • --disable-python option and other Python related fixes addded to 
    configure

  • Retries fixed in SQL destination. In some circumstances when
    retry_sql_inserts was set to 1, after an insertion failure all incoming
    messages were dropped.

  • Added DOS/Windows line ending support in config.

  • Parallel build is supported for Python and Java destination drivers.

  • Fixed compilation failure on OpenBSD

  • Memory leak around reload and internal queueing mechanism has been fixed.

  • AMQP connection process fixed.

  • Fixed a potential abort when the localhost name cannot be detected.

  • Security issue fixed around $HOST.
    Tech details:
    When the name of the host is too long, the buffer we use to format the
    chained hostname is truncated. However snprintf() returns the length the
    result would be if no truncation happened, thus we will read uninitialized
    bytes off the stack when we use that pointer to set $HOST
    with log_msg_set_value().

    There can be some security implications, like reading values from the stack
    that can help to craft further exploits, especially in the presense of
    address space randomization. It can also cause a DoS if the hostname length
    is soo large that we would read over the top-of-the-stack, which is probably
    not mmapped causing a SIGSEGV.

  • Journal entries containing name-value pairs without '=' caused syslog-ng
    to crash. Instead of crashing, syslog-ng just drop these nv pairs.

Credits

syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessarily to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Alex Badics, Andras Mitzki, Balazs Scheidler, Bence Tamas Gedai,
Fabien Wernli, Gergely Nagy, Gergo Nagy, Gyorgy Pasztor, Istvan Adam Mozes,
Laszlo Budai, Peter Czanik, Robert Fekete, Tibor Benke, Viktor Juhasz,
Zoltan Pallagi.


View it on GitHub.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


Gmane