I have been trying to forward logs from a firewall to a SIEM using syslog-ng but the problem is that I want to forward only the original raw log without the added headers added by syslog-ng. I have the following syslog-ng conf file.
@version: 5.2
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-5.2- guides/en/syslog-ng-pe-v5.2-guide-admin/html-single/index.html
#
@include "scl.conf"
options {
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
};
source s_udp {
udp(ip(X.X.X.X)
flags(no-parse)
port(514));
};
######
#templates
template no_header {
template($MSG); template_escape(no);
};
######
#destinations
destination d_siem {x
syslog("X.X.X.X" port(514) template(no_header));
};
log { source(s_udp); destination(d_siem);};
With the above, I have managed to remove most of syslog-ng's headers but I cannot remove the following in bold
**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
Syslog-ng's documentation states that:
(The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.)
If in my conf I change the template from $MSG to $MSGHDR the only thing I receive in the SIEM is the following:
531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -
But again if I use $MSG or $MSGONLY or $MESSAGE again I get:
**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
What I want syslog-ng to forward only is this:
<189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
I've exhausted options such as:
options {
#keep-hostname(yes);
#chain-hostnames(no);
#use_fqdn(no);
#create_dirs(no);
#long_hostnames(off);
#flush_lines(0);
#use-dns(no);
#keep_timestamp(yes);
#flags(store-legacy-msghdr);
};
None of the above made a difference.
I've read in another forum that it is possible to use rewrites and sets to put the value of locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data but I'm not exactly sure how I can accomplish that.
Can somebody help out a bit with the above?
You should use the tcp() destination instead of syslog():
destination d_siem {
tcp("X.X.X.X" port(514) template(no_header));
};
The syslog() is for RFC5424 syslog, tcp is for legacy.
no_header did not work for me
Config
syslog-ng 3.7
Centos 6.4
Following worked for me, I used
tcp("*.*.*.*" port(5140) template("$MSG"));
来源:https://stackoverflow.com/questions/28833774/syslog-ng-forward-raw-log-only