Czanik, Péter | 16 Sep 13:49 2014

3.6 beta2 rpm packages, FreeBSD ports

Hi,

A bit later than usual (I was on sick leave), but my 3.6 beta2
packages are ready for openSUSE/SLES and Fedora/EPEL7. They are
available at the usual locations:

openSUSE/SLES: https://build.opensuse.org/project/show/home:czanik:syslog-ng36
Fedora/EPEL7: http://copr.fedoraproject.org/coprs/czanik/syslog-ng36/

Thanks to Cy, the sysutils/syslog-ng-devel port in FreeBSD was also
updated to the latest beta, while I was unavailable. And this version
also works on earlier releases, including FreeBSD 8.4.

As usual, these packages are not yet recommended for production use,
but any testing and feedback are very welcome!

Bye,

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Simon OBOUNOU | 15 Sep 16:13 2014

Help settings regarding Syslog NG

Hi

I need helps regarding setting between syslog ng server and security 
solutions like checkpoint firewall, stormshield IDS and so one.

--

-- 
Bien cordialement, Kind Regards
HIFA, Chairman

32 rue de la République 92190 MEUDON - FRANCE
Phone: +33 1 46 31 44 25
Mobile: +33 6 11 30 36 57
email: simon.obounou <at> hifa.biz
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Michael Yacc | 6 Sep 23:05 2014
Picon

Syslog proxy/relay encapsulates

Dear all,
I'm trying  to configure syslog-ng as relay/proxy server. Seems to be simple, but syslog server recieves encapsulated original syslog messages within outgoing "syslog-relay" messages.
Is there any way to configure syslog-ng (relay) to just forward orignal messages to syslog server?

Syslog-ng version used: 3.3.9

syslog-client$ logger "hello from syslog client"

on syslog-relay I added the following configuration:
######## sources ###############
source s_relay_port {
        udp(ip(0.0.0.0) port(514));
};

######## destinations ###############
destination d_syslog_server {
        syslog("syslog-server" transport("udp") port(514));
};

######## logging ###############
log {
        source(s_relay_port);
        destination(d_syslog_server);
};

syslog-server$ tail -F /var/log/syslog 
Sep  6 23:53:28 syslog-relay-ip 1 2014-09-06T23:53:28+03:00 syslog-client-ip 1 - - - 2014-09-06T23:53:28+03:00 syslog-client-hostname root - - [meta sequenceId="38"] hello from syslog client

With best regards,
Michael Yacc
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

wiskbroom | 5 Sep 23:42 2014
Picon

Individual Logs Files to each Forward to Different server/port?

Greetings!

Is is possible to configure a syslog-ng client to forward logs to a syslog-ng server based on file?

I am thinking of the following as an example:

destination named-LOGS {
udp(ip(192.168.1.100) port(555));
};
source named {
file("/var/log/named/bind.log" log_prefix("BIND-LOGS"));
};
log {
source(named);
destination(named-LOGS);
};


destination dhcpd-LOGS {
udp(ip(192.168.1.100) port(556));
};
source dhcpd {
file("/var/log/dhcpd/dhcp.log" log_prefix("DHCPD-LOGS"));
};
log {
source(dhcpd);
destination(dhcpd-LOGS);
};


In this example, I am sending each to the same destination IP address, although that is configurable, but each log file to a different port, and with a different log_prefix as well.


Does this OK,or is their a simpler way?


Many thanks,


.vp

  Vadim Anatoly Pushkin
-- The Ukranian Stallion --

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

devel | 5 Sep 10:30 2014
Picon

syslog-ng 3.6.0beta1 has been released

------------------------------------------------------------------------------
PACKAGE             : syslog-ng
VERSION             : 3.6.0beta1
SUMMARY             : new beta release
DATE                : Sep 5, 2014
------------------------------------------------------------------------------

DESCRIPTION:

  A new stable version of syslog-ng Open Source Edition (3.6.0beta1) has been
  released. Being the first beta release, we would be very grateful for any
  feedback, to stabilize the release further.

CHANGES:

3.6.0beta1
	Wed,  3 Sep 2014 14:40:14 +0200

This is the first beta release of the upcoming syslog-ng OSE 3.6
branch. Compared to the alphas, this release contains a moderate
amount of new functionality and bugfixes. Further releases will focus
on stability and bugfixes.

Features
--------
* One can now use multiple elements in the `key()` and `exclude()`
  options of any value-pairs declaration.

* A new source driver was added to the syslog-ng: `systemd-journal()`,
  which reads from the Journal directly, not via the syslog forwarding
  socket. The `system()` source defaults to using this source when
  systemd is detected.

Bugfixes
--------

* All the various crypto-related template functions now check that the
  desired length of the digest is not larger than the digest itself.
  If a larger value is requested, they will truncate it to the digest
  length.

* The `$(geoip)` template function now works with `threaded(yes)` too.

* The unix domain socket credentials code was changed to only build on
  Linux and FreeBSD. With this change, syslog-ng should compile again
  on platforms where the OS does not support this, with the feature
  disabled.

Credits
-------

syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessary to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Andras Mitzki, Fabien Wernli, Gergely Nagy, Laszlo Budai, Michael
Hocke, Tibor Benke, Viktor Juhasz, Viktor Tusa.

DOWNLOAD:

  You can download the source or binary packages from:

    http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.6.0beta1/

  The documentation of the syslog-ng Open Source Edition is available in
  The syslog-ng Open Source Edition Administrator's Guide at

    http://www.balabit.com/support/documentation/

------------------------------------------------------------------------------
PACKAGE             : syslog-ng
VERSION             : 3.6.0beta1
SUMMARY             : new beta release
DATE                : Sep 5, 2014
------------------------------------------------------------------------------

DESCRIPTION:

  A new stable version of syslog-ng Open Source Edition (3.6.0beta1) has been
  released. Being the first beta release, we would be very grateful for any
  feedback, to stabilize the release further.

CHANGES:

3.6.0beta1
	Wed,  3 Sep 2014 14:40:14 +0200

This is the first beta release of the upcoming syslog-ng OSE 3.6
branch. Compared to the alphas, this release contains a moderate
amount of new functionality and bugfixes. Further releases will focus
on stability and bugfixes.

Features
--------
* One can now use multiple elements in the `key()` and `exclude()`
  options of any value-pairs declaration.

* A new source driver was added to the syslog-ng: `systemd-journal()`,
  which reads from the Journal directly, not via the syslog forwarding
  socket. The `system()` source defaults to using this source when
  systemd is detected.

Bugfixes
--------

* All the various crypto-related template functions now check that the
  desired length of the digest is not larger than the digest itself.
  If a larger value is requested, they will truncate it to the digest
  length.

* The `$(geoip)` template function now works with `threaded(yes)` too.

* The unix domain socket credentials code was changed to only build on
  Linux and FreeBSD. With this change, syslog-ng should compile again
  on platforms where the OS does not support this, with the feature
  disabled.

Credits
-------

syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessary to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Andras Mitzki, Fabien Wernli, Gergely Nagy, Laszlo Budai, Michael
Hocke, Tibor Benke, Viktor Juhasz, Viktor Tusa.

DOWNLOAD:

  You can download the source or binary packages from:

    http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.6.0beta1/

  The documentation of the syslog-ng Open Source Edition is available in
  The syslog-ng Open Source Edition Administrator's Guide at

    http://www.balabit.com/support/documentation/

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 4 Sep 17:48 2014

3.6beta1 packages for openSUSE

Hi,
My initial 3.6beta1 pacages for openSUSE and SLES 11 are ready. There
was a change in systemd packaging in Factory, that I still need to
figure out.
I tested the new package on openSUSE 13.1 and even tested it by
disabling syslog compatibility in /etc/systemd/journald.conf, and the
brand new journal source seems to work fine.
If you run (open)SUSE, please give these packages a try, and let us
know, if you run into any trouble!
Bye,

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Czanik, Péter | 4 Sep 17:06 2014

3.6beta1 packages for Fedora/EPEL

Hi,

http://copr.fedoraproject.org/coprs/czanik/syslog-ng36/

I prepared packages from 3.6beta1 for all recent Fedora releases and
for EPEL7. I only tested on rawhide, as there syslog compatibility is
disabled in journal by default and beta1 already has a journal source.
I did some basic tests, and it worked fine.

Bye,

Peter Czanik (CzP) <peter.czanik <at> balabit.com>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
https://twitter.com/PCzanik
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Frank Wilkinson | 26 Aug 19:48 2014
Picon

really need help...not writing files

Please forgive me if this has already been addressed. If so will you point me to it?

Syslog-ng will all of a sudden, stop writing files.

 

I’m running syslog-ng 3.5.3

Installer-Version: 3.5.3

Revision: ssh+git://algernon <at> git.balabit/var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.5#master#ccb05a22408ba4c837d998b2538854d994f845a5

Compile-Date: Jan  8 2014 13:35:02

Available-Modules: afsocket,afprog,dbparser,system-source,affile,syslogformat,linux-kmsg-format,csvparser,afmongodb,afsocket-tls,confgen,afuser,afstomp,afsocket-notls,basicfuncs,cryptofuncs,afamqp

Enable-Debug: off

Enable-GProf: off

Enable-Memtrace: off

Enable-IPv6: on

Enable-Spoof-Source: off

Enable-TCP-Wrapper: on

Enable-Linux-Caps: off

Enable-Pcre: on

 

 

The service status is showing running but not writing log files.  We are logging  udp from about 2400 devices

When it dies strace shows:

 

epoll_ctl(3, EPOLL_CTL_DEL, 10, {0, {u32=19726648, u64=19726648}}) = 0

write(110, "\1\0\0\0\0\0\0\0", 8)       = 8

epoll_wait(3, {{EPOLLIN, {u32=19641320, u64=19641320}}}, 11, 3414) = 1

read(6, "\1\0\0\0\0\0\0\0", 8)          = 8

futex(0x7fe1b000bd34, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x7fe1b000bd30, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1

futex(0x7fe21cfaad68, FUTEX_WAKE_PRIVATE, 1) = 1

fcntl(10, F_GETFD)                      = 0x1 (flags FD_CLOEXEC)

fcntl(10, F_GETFL)                      = 0x802 (flags O_RDWR|O_NONBLOCK)

setsockopt(10, SOL_SOCKET, SO_OOBINLINE, [1], 4) = 0

write(110, "\1\0\0\0\0\0\0\0", 8)       = 8

epoll_ctl(3, EPOLL_CTL_ADD, 10, {0, {u32=19726648, u64=19726648}}) = 0

epoll_wait(3, {{EPOLLIN, {u32=19641320, u64=19641320}}}, 12, 3413) = 1

read(6, "\1\0\0\0\0\0\0\0", 8)          = 8

futex(0x7fe1b000bd34, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x7fe1b000bd30, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1

futex(0x7fe21cfaad68, FUTEX_WAKE_PRIVATE, 1) = 1

futex(0x14e25a0, FUTEX_WAKE_PRIVATE, 1) = 1

epoll_wait(3, {{EPOLLIN, {u32=19641320, u64=19641320}}}, 12, 0) = 1

read(6, "\1\0\0\0\0\0\0\0", 8)          = 8

futex(0x7fe1b000bd34, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x7fe1b000bd30, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1

futex(0x7fe21cfaad68, FUTEX_WAKE_PRIVATE, 1) = 1

write(110, "\1\0\0\0\0\0\0\0", 8)       = 8

futex(0x12d02c0, FUTEX_WAIT_PRIVATE, 2, NULL) = ? ERESTARTSYS (To be restarted)

--- SIGTERM (Terminated) <at> 0 (0) ---

write(17, "\1\0\0\0\0\0\0\0", 8)        = 8

rt_sigreturn(0x7fe21cfab740)            = 202

futex(0x12d02c0, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...>

 

here is where I did a restart

+++ killed by SIGKILL +++

 

top - 12:45:56 up 133 days, 23:11, 13 users,  load average: 1.06, 1.13, 1.14

Tasks: 634 total,   2 running, 632 sleeping,   0 stopped,   0 zombie

Cpu(s):  4.2%us,  2.0%sy,  0.0%ni, 93.6%id,  0.0%wa,  0.0%hi,  0.2%si,  0.0%s

Mem:  32898840k total, 31285296k used,  1613544k free,   128188k buffers

Swap: 16777212k total,   684800k used, 16092412k free, 29249028k cached

 

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

1631 root      20   0 1725m 104m 2892 S 28.4  0.3  10:38.46 syslog-ng        2843 root      20   0 1725m 104m 2892 S 17.5  0.3   0:04.35 syslog-ng

2795 root      20   0 1725m 104m 2892 S 15.8  0.3   0:11.99 syslog-ng        2842 root      20   0 1725m 104m 2892 S 13.9  0.3   0:02.68 syslog-ng

2793 root      20   0 1725m 104m 2892 S 13.5  0.3   0:14.54 syslog-ng        2855 root      20   0 1725m 104m 2892 R 13.5  0.3   0:00.41 syslog-ng

2776 root      20   0 1725m 104m 2892 S 12.2  0.3   0:18.57 syslog-ng       43203 root      20   0  359m 101m  10m S 11.9  0.3  15:35.10 splunkd

2794 root      20   0 1725m 104m 2892 S  9.6  0.3   0:14.62 syslog-ng        2791 root      20   0 1725m 104m 2892 S  9.2  0.3   0:11.89 syslog-ng

2697 root      20   0 1725m 104m 2892 S  6.3  0.3   0:31.74 syslog-ng       43204 root      20   0  359m 101m  10m S  4.9  0.3   8:01.72 splunkd

2825 root      20   0 1725m 104m 2892 S  2.3  0.3   0:07.73 syslog-ng        2841 root      20   0 1725m 104m 2892 S  1.6  0.3   0:03.30 syslog-ng

 

Also, one other problem I have is the syslog-ng log file says:

Aug 26 11:48:49 sopher1 syslog-ng[488]: Input is valid utf8, but the log message is not tagged as such, this performs worse than enabling validate-utf8 flag on input; value='758AARULOCAL01'

 

My config specifies flags(validate-utf8):

 

source s_udp { udp( port(514) so_rcvbuf(15000000) log_iw_size(50000) log_msg_size(65535) log_fetch_limit(50000) flags(validate-utf8));};

Frank Wilkinson

(205)934-3540 w

 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

James Lay | 25 Aug 23:47 2014
Picon

Re: Quick set of eyeballs on this

On 2014-08-25 15:39, Balint Kovacs wrote:
> Hi,
>
>  just a guess, but as far as i can remember, the ASA-* part is 
> usually
> in the program field, try the program() filter instead of message() 
> in
> f_firewall.
>
>  Balint
>
> On 2014. augusztus 25. 22:48:05 CEST, James Lay
> <jlay <at> slave-tothe-box.net> wrote:
>
>> Can anyone see anything blatantly wrong with this? The goal is to
>> syslog as usual, but to forward firewall messages to a different
>> server.
>> Thanks for looking all.
>>
>> James
>>
>>  <at> version:3.3.5
>> options {
>> use_dns(no);
>> flush_lines(0);
>> stats_freq(43200);
>> };
>>
>> source s_local {
>> unix-stream("/dev/log");
>> udp(ip(0.0.0.0) port(514));
>> tcp(ip(0.0.0.0) port(514));
>> file("/proc/kmsg");
>> };
>>
>> destination d_file {
>> file("/var/log/messages");
>> };
>>
>> destination d_syslogserver { udp ("x.x.x.x", port(7514)); };
>>
>> filter f_syslogfilter {
>> not (
>> message("0x0004")
>> or message("169.254.")
>> or message("192.168.")
>> );
>> };
>>
>> filter f_firewall {
>> message("ASA-4-71005")
>>
>> or
>> message("ASA-2-106100")
>> };
>>
>> log {
>> source(s_local);
>> filter(f_syslogfilter);
>> destination(d_file);
>> };
>>
>> log {
>> source(s_local);
>> filter(f_firewall);
>> destination(d_syslogserver);
>> };
>>
>> -------------------------

Ah thank you...I've just been testing using logger.  I'll adjust and 
try this with program().  Thanks again.

James

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

James Lay | 25 Aug 22:48 2014
Picon

Quick set of eyeballs on this

Can anyone see anything blatantly wrong with this?  The goal is to 
syslog as usual, but to forward firewall messages to a different server. 
Thanks for looking all.

James

 <at> version:3.3.5
options {
         use_dns(no);
         flush_lines(0);
         stats_freq(43200);
};

source s_local {
         unix-stream("/dev/log");
         udp(ip(0.0.0.0) port(514));
         tcp(ip(0.0.0.0) port(514));
         file("/proc/kmsg");
};

destination d_file {
         file("/var/log/messages");
};

destination d_syslogserver { udp ("x.x.x.x", port(7514)); };

filter f_syslogfilter {
         not (
                 message("0x0004")
                 or message("169\.254\.")
                 or message("192\.168\.")
         );
};

filter f_firewall {
         message("ASA-4-71005")
         or message("ASA-2-106100")
};

log {
         source(s_local);
         filter(f_syslogfilter);
         destination(d_file);
};

log {
         source(s_local);
         filter(f_firewall);
         destination(d_syslogserver);
};

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Jason Long | 24 Aug 19:33 2014
Picon

I want to forward Windows server 2008 R2 logs to Linux syslog-ng.

Hello all.
I have a Windows Box that want to forward all Even logs to my Linux box. I install Snare on Windows(172.30.10.19) and configure it to forward logs to Linux  and my Linux box receive it properly. When I use " tcpdump udp "port 514" ", Tcpdump show me that Snare sending Logs to Linux but Syslog-ng can't write it to log files :(. I paste my syslog-ng configure :

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
};


#source s_net {
#udp (ip(172.30.10.19) port(514));
#};
source s_net { udp(); };
filter f_openwrt { host("172.30.10.19");};
destination df_openwrt { file("/var/log/winlog/win.log"); };
log { source ( s_net ); filter( f_openwrt ); destination ( df_openwrt ); };


destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv) 
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news) 
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:



Can you tell me how can I solve this problem? 

Cheers.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


Gmane