Girish Kumar | 4 Feb 06:03 2016

syslog-ng and dependency libraries for sending log messages for remote log server with TLS support

Hi All,

My requirement is to send the log messages to remote log server securely (with TLS).

The project which I am implementing is on embedded systems. So the space is very important.

Please let me know the latest stable version of syslog-ng which can be used for this.
Also please let me know the mandatory dependency libraries required.

Whether I can use openssl library for TLS support 

Thanks in advance.

Regards,
Girish
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Girish Kumar | 4 Feb 06:00 2016

syslog-ng and dependency libraries for sending log messages for remote log server with TLS support

Hi All,

My requirement is to send the log messages to remote log server securely (with TLS).

The project which I am implementing is on embedded systems. So the space is very important.

Please let me know the latest stable version of syslog-ng which can be used for this.
Also please let me know the mandatory dependency libraries required.

Thanks in advance.

Regards,
Girish
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list,
posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Ivan Adji - Krstev | 3 Feb 14:43 2016
Picon

Mutual certification

Hi all,
I have follow the link for providing mutual authentication. I have create CA on a server and certificates for the server and client. On the server site have put:
===========================================
source s_sys {
        system();
        #unix-stream("/dev/log");
        internal();
        network(
        port(6514)
#       tcp(port(5140));
#       file("/proc/kmsg" log_prefix("kernel: "));
        transport("tls")
        tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem")
             cert_file("/etc/syslog-ng/cert.d/servercert.pem")
             ca_dir("/etc/syslog-ng/ca.d"))
);
};
i have define d_mysql etc.

log { source(s_sys); destination(d_mysql); };
=============================================================
on the client site i have:
destination tls_destination {
    network("x.x.x.x" port(6514));
    transport("tls")
    tls( ca_dir("/etc/syslog-ng/ca.d")
         key_file("/etc/syslog-ng/cert.d/clientkey.pem")
         cert_file("/etc/syslog-ng/cert.d/clientcert.pem") )
     };
log { source(s_sys); destination(tls_destination); };
==================================================================
And when i restart the syslog-ng on a client site i have the following error:

/etc/init.d/syslog-ng restart
Stopping syslog-ng:                                        [FAILED]
Error parsing destination, destination plugin network not found in /etc/syslog-ng/syslog-ng.conf at line 45, column 5:

    network("x.x.x.x" port(6514));
    ^^^^^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

syslog-ng --version
syslog-ng 3.2.5
Installer-Version: 3.2.5
Revision: ssh+git://bazsi <at> git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116
Compile-Date: Jul 25 2014 15:20:50
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: off
Enable-SQL: on
Enable-Linux-Caps: off
Enable-Pcre: on
Enable-Pacct: off

So can someone tell me what i'm doing wrong ?

Kind regards
Ivan
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Scheidler, Balázs | 2 Feb 09:22 2016

Re: Module development guide

Hi,

Let me try to describe what is needed to parse options from the configuration file:
  • curl-grammar.ym: is a yacc/bison source file that parses the curl specific portion of the configuration. It is able to generate parsers for LALR(1) languages.
  • curl-parser.c: contains the set of keywords that curl understands. This maps keywords found in the configuration into tokens that the grammar is able to process. A token is basically a numeric identifier.

So for instance to add a "header" option, you will need this stuff:

1) define a token in the grammar, so it becomes available as a macro

diff --git a/modules/curl/curl-grammar.ym b/modules/curl/curl-grammar.ym
index c3aaf00..eab317c 100644
--- a/modules/curl/curl-grammar.ym
+++ b/modules/curl/curl-grammar.ym
<at> <at> -47,6 +47,7 <at> <at>
 %parse-param {gpointer arg}
 
 %token KW_CURL
+%token KW_HEADER
 
 %type   <ptr> driver
 %type   <ptr> curl_destination


If you recompile the curl module, this will make KW_HEADER to become available in curl-grammar.h

2) add a keyword to curl-parser.c

This will tell the syslog-ng lexer (a component that reads the configuration file and breaks them into tokens) to map the string "header" into a symbolic token named KW_HEADER.

diff --git a/modules/curl/curl-parser.c b/modules/curl/curl-parser.c
index 6958a8d..b60ef0b 100644
--- a/modules/curl/curl-parser.c
+++ b/modules/curl/curl-parser.c
<at> <at> -30,6 +30,7 <at> <at> int curl_parse(CfgLexer *lexer, LogDriver **instance, gpointer arg);
 
 static CfgLexerKeyword curl_keywords[] = {
   { "curl", KW_CURL },
+  { "header", KW_HEADER },
   { NULL }
 };

 

3) add rules to the grammar to parse this option

First we need a small refactor in the curl-grammar file to save the just instantiated CurlDestinationDriver (I hand edited this hunk for clarity, so it will not apply automatically):


<at> <at> -71,7 +72,15 <at> <at> driver
        ;
 
 curl_destination
-       : KW_CURL '(' ')'                       { $$ = curl_dd_new(configuration); }
+       : KW_CURL
+         {
+            last_driver = curl_dd_new(configuration);
+          }
+         '('  ')'                             { $$ = last_driver; }
+       ;


This basically just stores the driver instance in a variable named "last_driver" (defined by the core cfg-grammar.y file). So we can later use this to call setters on.

And now let's add option parsing (this time the entire hunk):

<at> <at> -71,7 +72,20 <at> <at> driver
        ;
 
 curl_destination
-       : KW_CURL '(' ')'                       { $$ = curl_dd_new(configuration); }
+       : KW_CURL
+         {
+            last_driver = curl_dd_new(configuration);
+          }
+         '(' curl_options ')'                             { $$ = last_driver; }
+       ;
+
+curl_options
+       : curl_option curl_options
+       |
+       ;
+
+curl_option
+       : KW_HEADER '(' string string ')'                  { curl_dd_set_header(last_driver, $3, $4); }
        ;
 
 /* INCLUDE_RULES */

What this does is that we added a rule "curl_options" within the parentheses of our original "curl" rule, which is the rule that must match the configuration as we parse it. (think of it as a recursive tree).

curl_options is satisfied with either an empty rule (e.g. no options) or recursing itself with a curl_option rule. Note the plural and singular names, curl_options is responsible to match a list of "curl_option"s.

curl_option is responsible for parsing individual options, for now only a single rule is there, KW_HEADER, which when parsed will call curl_dd_set_header().

You can add further options like this:

+curl_option
+       : KW_HEADER '(' string string ')'                  { curl_dd_set_header(last_driver, $3, $4); }
+       | KW_URL '(' string ')'                            { curl_dd_set_url(last_driver, $3); }


Variables like $1, $2 and so on represent the Nth token in the rule, e.g. $3 in the KW_HEADER branch is the first string value. $4, is the 2nd.

Hope this helps. You will definitely be able to find tutorials that describe both yacc/lex, however there are a number of quirks how syslog-ng applies them, primarily to make it possible to extend the base grammar with plugins.

Cheers,

Bazsi


       

--
Bazsi

On Mon, Feb 1, 2016 at 10:01 PM, Marc Falzon <m <at> baha.mu> wrote:
Hi Bazsi

Sorry to bother you again, but now that I'm done prototyping the "curl" part of my module using hardcoded values for testing I'm now facing the "grammar/parser" problem: could you please drive me though the basics of how this works? I tried to understand looking at other modules but I don't understand at all.

Basically, I'd like to be able to specify some configuration settings in the syslog-ng configuration, such as url, some HTTP headers... It would look like this:

destination d_curl {
  curl(url("http://logs.example.net:5140/" header("Content-Type: application/json") header("X-Custom-Header: blah")));
};


My code is still available at https://github.com/falzm/syslog-ng/tree/f/curl-module/modules/curl

Thank you in advance,

m.


On Saturday 30 January 2016 at 10:17, m <at> baha.mu wrote:

> Hi
>
> Great! I should be able to get going from here, thank you for your help.
>
> Cheers,
>
> m.
>
> > On Jan 30, 2016, at 08:56, Scheidler, Balázs <balazs.scheidler <at> balabit.com (mailto:balazs.scheidler <at> balabit.com)> wrote:
> >
> > Hi,
> >
> > I have added code to your module, it compiles and is able to accept messages to be sent, and prints a debug message whenever that happens.
> >
> > I didn't have too much time to clean it up, but I hope this helps to start the ball rolling.
> >
> > https://github.com/balabit/syslog-ng/compare/f/curl-module <https://github.com/balabit/syslog-ng/compare/f/curl-module>
> >
> >
> > Bazsi
> >
> > --
> > Bazsi
> >
> > On Sat, Jan 23, 2016 at 9:27 PM, <m <at> baha.mu <mailto:m <at> baha.mu>> wrote:
> >
> > > On Jan 23, 2016, at 21:23, Scheidler, Balázs <balazs.scheidler <at> balabit.com <mailto:balazs.scheidler <at> balabit.com>> wrote:
> > >
> > > If you commit your code to a branch I can help with the basic skeleton of the parser/grammar
> >
> >
> > Thank you Balázs, my code is available here: https://github.com/falzm/syslog-ng/tree/f/curl-module/modules/curl <https://github.com/falzm/syslog-ng/tree/f/curl-module/modules/curl>
> >
> > m.
> >
> >
> > >
> > > On Jan 23, 2016 5:54 PM, "Marc Falzon" <m <at> baha.mu <mailto:m <at> baha.mu>> wrote:
> > > I successfully generated a module template using the `create_plugin.sh (http://create_plugin.sh)` script, however I don't have the slightest idea on how to get started from here (I mean for the 'plugin glue', I can manage the cURL part)... The most problematic step for me is the whole parser/grammar thing, to which I believe to involve YACC/Bison parsing but I don't know how it works and it's too big of a learning curve for what I want to achieve at this point... Since the Gitbook doesn't provide any useful information on module development at the moment, is there any way to get me started on this topic? I'm not a developer (sysadmin), and trying to learn from existing module doesn't quite cut it.
> > >
> > > Thank you,
> > >
> > > m.
> > >
> > >
> > > On Friday 22 January 2016 at 11:35, Tibor Benke wrote:
> > >
> > > > There is also a shell script which generates a basic destination skeleton. You can find its source on this brach: https://github.com/juhaszviktor/syslog-ng/tree/f/plugin-creator <https://github.com/juhaszviktor/syslog-ng/tree/f/plugin-creator> . Check the dev-utils/plugin_skeleton_creator directory and this commit for the usage: https://github.com/juhaszviktor/syslog-ng/commit/89361d4d1817560ce8c906209355f1b737a28010 <https://github.com/juhaszviktor/syslog-ng/commit/89361d4d1817560ce8c906209355f1b737a28010>
> > > >
> > > > 2016-01-22 11:33 GMT+01:00 Marc Falzon <m <at> baha.mu <mailto:m <at> baha.mu> (mailto:m <at> baha.mu <mailto:m <at> baha.mu>)>:
> > > > > Hi Bazsi,
> > > > >
> > > > >
> > > > > On Friday 22 January 2016 at 11:28, Scheidler, Balázs wrote:
> > > > >
> > > > > > not really, but maybe I would read the "official" modules source code instead. and of course you can ask questions on the mailing list. :)
> > > > >
> > > > >
> > > > > Yes that's what I've started to do, but a proper documentation is preferable, saves time and avoid confusion ;)
> > > > >
> > > > > > if you want to create a destination, the easiest is to create a threaded destination, where the output is an independent thread, that can use a synchronous API. Of course this is going to be slower than using an asynchronous implementation, but that usually is good enough,
> > > > >
> > > > > Thank you for the hint. Given my use case (HTTP destination) I think I'm safe to go with an asynchronous implementation since each request is stateless, no connections/locks involved.
> > > > >
> > > > > m.
> > > > >
> > > > > >
> > > > > > On Fri, Jan 22, 2016 at 11:03 AM, Marc Falzon <m <at> baha.mu <mailto:m <at> baha.mu> (mailto:m <at> baha.mu <mailto:m <at> baha.mu>) (mailto:m <at> baha.mu <mailto:m <at> baha.mu>)> wrote:
> > > > > > > Hi
> > > > > > >
> > > > > > > Is there any documentation on how to develop new syslog-ng module using the native C API, besides reading the incubator modules source code?
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > m.
> > > > > > >
> > > > > > >
> > > > > > > ______________________________________________________________________________
> > > > > > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > > > > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > > > > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ______________________________________________________________________________
> > > > > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > > > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > > > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ______________________________________________________________________________
> > > > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> > > >
> > > >
> > > >
> > > >
> > > > ______________________________________________________________________________
> > > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> > >
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> > >
> > > ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
> >
> >
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
>




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Vincent Bernat | 26 Jan 07:43 2016
Gravatar

Re: Module development guide

 ❦ 22 janvier 2016 12:43 +0100, "Scheidler, Balázs" <balazs.scheidler <at> balabit.com> :

> well, the afsocket one. that's a completely nonblocking destination
> that implements udp/tcp/unix-stream/unix-dgram/syslog/network sources
> and destinations.
>
> It basically boils down to using a LogWriter class that does the heavy
> lifting at least as long as your transport protocol is simple enough.
> Probably the simplest is to create a LogProto implementation and let
> the afsocket driver do the rest.
>
> Asynchronous sources/destinations operate on a set of worker threads
> (in contrast to a dedicated thread) and are driven by the epoll()
> based event loop.

It's for the librdkafka-based kafka destination. So, the third-party
library is taking care of all the transport stuff. Is the afsocket one
still a good example for async stuff in this case? I didn't have a look
yet.
--

-- 
Don't compare floating point numbers just for equality.
            - The Elements of Programming Style (Kernighan & Plauger)
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Juhász, Viktor | 25 Jan 16:21 2016

License check failure

Hi,

I really want to keep the license policy,
but I don't know, and can't find any description, what if I just moved files to one directory to another directory without any modifications?

For example I just moved the logmsg.c from lib to lib/logmsg directory, and the license check fails in travis.
What should I do in this case?

BR,
Viktor Juhász

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Marc Falzon | 22 Jan 11:03 2016
Picon

Module development guide

Hi 

Is there any documentation on how to develop new syslog-ng module using the native C API, besides reading
the incubator modules source code?

Cheers,

m. 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Marc Falzon | 22 Jan 10:22 2016
Picon

Dependency on default-jre for Debian package

Hi 

I'm trying to install the unofficial syslog-ng 3.7.2 Debian packages from
http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_8.0/
however I have a problem with the Java-related packages, since they have a package dependency on
`default-jre`, and I'm using an Oracle JRE packaged using the `make-jpkg` utility which generates a
Debian package providing `java-browser-plugin, java-runtime, java-runtime-headless,
java-virtual-machine, java2-runtime, java2-runtime-headless, java6-runtime,
java6-runtime-headless, java7-runtime, java7-runtime-headless, java8-runtime,
java8-runtime-headless`, but not `default-jre`.

Is it possible to modify those packages so that they depend on `java-runtime` instead? The `default-jre`
packages also provide `java-runtime`.

Thank you,

m. 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Patrick Hemmer | 21 Jan 18:53 2016
Picon

"Syslog connection closed" but socket not closed

We recently saw an issue where syslog-ng (version 3.6.4 on FreeBSD 10.1) 
was configured with a `syslog()` source, received an invalid frame, shut 
down the connection, but the socket remained open. I was looking through 
the documented fixes in the versions since the one we're using (3.6.4), 
but nothing looks related.

2016-01-21T07:44:21-05:00 iad1gweb01.ecom.chewy.com     ERR 
syslog-ng[27090]: - Invalid frame header; header='' [meta sequenceId="389"]
2016-01-21T07:44:21-05:00 iad1gweb01.ecom.chewy.com  NOTICE 
syslog-ng[27090]: - Syslog connection closed; fd='19', 
client='AF_INET(127.0.0.1:59317)', local='AF_INET(127.0.0.1:601)' [meta 
sequenceId="390"]

# netstat -an|grep 59317
tcp4   81660      0 127.0.0.1.601 127.0.0.1.59317        ESTABLISHED
tcp4       0  48923 127.0.0.1.59317 127.0.0.1.601          ESTABLISHED

 From the netstat output (the buffer sizes), it looks like syslog-ng 
stopped reading from the socket, but didn't close it, and the 
application on the other end kept trying to write to it.

This is just my theory anyway. I can open a bug on github, but I wanted 
to bring it up here first.

Thanks

-Patrick
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Blake Day | 21 Jan 01:11 2016

RFC5425 framing and log_msg_size

Hi all,

I’m wondering why syslog-ng disconnects clients that try to send log messages exceeding log_msg_size instead of just gracefully accepting and truncating the message?  I took a quick glance at the code, and it appears to only affect clients using RFC5425 framing.

Here is the relevant code:

 if (self->frame_len > self->super.options->max_msg_size)
{
 msg_error("Incoming frame larger than log_msg_size()",
evt_tag_int("log_msg_size", self->super.options->max_msg_size),
evt_tag_int("frame_length", self->frame_len),
NULL);
 return LPS_ERROR;
}

Here are excerpts from my logs showing the problem:

2016-01-20T11:27:28-05:00 [HOST]     ERR syslog-ng[87462]: - Incoming frame larger than log_msg_size(); log_msg_size='16384', frame_length='76218' [meta sequenceId="6560"]

2016-01-20T11:27:28-05:00 [HOST]  NOTICE syslog-ng[87462]: - Syslog connection closed; fd='26', client='AF_INET(127.0.0.1:52627)', local='AF_INET(127.0.0.1:601)' [meta sequenceId="6561"]


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Alexandre DEPREZ | 20 Jan 23:27 2016

patterndb and smtp to() issue

Hi all,

I'm using the pattern-db to extract values from a firewall's log. 

This far, everything's working great.

The log looks something like this:

Jan 20 2016 21:48:45: %ASA-7-746012: user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user 

Using pdbtool and matching the log against the xml pattern file, this is showing me good results :


:$pdbtool match -P "%ASA-7-746012" -M "user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user" -p /etc/syslog-ng/patterndb.d/vpn-parser-up.xml -D -c 
Pattern matching part:
user-identity: Add IP-User mapping <at> IPv4:VPN_IP=10.10.99.7 <at> - LOCAL\ <at> STRING:VPN_USER=alex <at> Succeeded - VPN user
Matching part:
user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user
Values:
MESSAGE=user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user
PROGRAM=%ASA-7-746012
.classifier.class=vpn.access_log
.classifier.rule_id=019045a7383c252e57c20435ae5bf86c
VPN_IP=10.10.99.7
VPN_USER=alex
TAGS=


Here's the xml file

<patterndb version='4' pub_date='2015-12-22'>
  <ruleset id='04ba26e756011614c57cf469fed7b5c0' name='%ASA-7-746012'>
    <pattern>%ASA-7-746012</pattern>
     <rules>
      <rule class='vpn.access_log' id='019045a7383c252e57c20435ae5bf86c' provider='alex'>
        <patterns>
                <pattern>user-identity: Add IP-User mapping <at> IPv4:VPN_IP <at> - LOCAL\ <at> STRING:VPN_USER <at> Succeeded - VPN user</pattern>
        </patterns>
        </rule>   
         </rules>
  </ruleset>
</patterndb>


Now, the problem lies on the destination which is using the smtp driver.

destination vpn_mail_up { 
        smtp(
                host("x.x.x.x")
                port(25)
                from("alex <at> x.y" "alex <at> x.y")
                to("${VPN_USER} <at> x.y")
                subject("vpn connection")
                body("vpn connection from ${VPN_USER}  with IP: ${VPN_IP}\n")
        );
};

The variable is functional inside the body() but not in the to() field.

Here's a dump I extracted directly from the server on the tcp session to the mail server:

RCPT.TO:<${VPN_USER} <at> x.y>..
BDAT.411..
X-Mailer:.syslog-ng.3.5.6..
Date:.Wed,.20.Jan.2016.21:51:51.+0100..
From:.alex <at> x.y..
Message-Id:.<1453323111.149975.19608 <at> debian>..
To:."${VPN_USER} <at> x.y".<${VPN_USER} <at> x.y>..
Subject:.vpn.connection..
.BDAT.68..vpn.connection.from.alex..with.IP:.10.10.99.7.BDAT.2.LAST..

The variable is being populated in the body message but not the recipient. 

Is there any chance the variable could only be used once (!?) or not being able to be used inside the to() ? 

Regards,

Alex






______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


Gmane