Syslog-ng forward raw log only

戏子无情 提交于 2019-12-08 03:40:10

问题


I have been trying to forward logs from a firewall to a SIEM using syslog-ng but the problem is that I want to forward only the original raw log without the added headers added by syslog-ng. I have the following syslog-ng conf file.

@version: 5.2
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-5.2-       guides/en/syslog-ng-pe-v5.2-guide-admin/html-single/index.html
#
@include "scl.conf"

options {
};

######
# sources
source s_local {
# message generated by Syslog-NG
internal();
};

source s_udp {
udp(ip(X.X.X.X)
flags(no-parse)
port(514));
};

######
#templates

template no_header {
template($MSG); template_escape(no);
};

######
#destinations

destination d_siem {x
syslog("X.X.X.X" port(514) template(no_header));
};

log { source(s_udp); destination(d_siem);};

With the above, I have managed to remove most of syslog-ng's headers but I cannot remove the following in bold

**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX

Syslog-ng's documentation states that:

(The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.)

If in my conf I change the template from $MSG to $MSGHDR the only thing I receive in the SIEM is the following:

531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -

But again if I use $MSG or $MSGONLY or $MESSAGE again I get:

**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX

What I want syslog-ng to forward only is this:

<189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX

I've exhausted options such as:

 options {
 #keep-hostname(yes);
 #chain-hostnames(no);
 #use_fqdn(no);
 #create_dirs(no);
 #long_hostnames(off);
 #flush_lines(0);
 #use-dns(no);
 #keep_timestamp(yes);
 #flags(store-legacy-msghdr);
 };

None of the above made a difference.

I've read in another forum that it is possible to use rewrites and sets to put the value of locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data but I'm not exactly sure how I can accomplish that.

Can somebody help out a bit with the above?


回答1:


You should use the tcp() destination instead of syslog():

destination d_siem {
tcp("X.X.X.X" port(514) template(no_header));
};

The syslog() is for RFC5424 syslog, tcp is for legacy.




回答2:


no_header did not work for me

Config

syslog-ng 3.7 
Centos 6.4 

Following worked for me, I used

tcp("*.*.*.*" port(5140) template("$MSG"));


来源:https://stackoverflow.com/questions/28833774/syslog-ng-forward-raw-log-only

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!