This driver sends SNMP traps using the SNMP v2c or v3 protocol.
The snmp() destination has the following options:
Type: | SHA|sha |
Default: | SHA |
Description: The authentication method to use. Lowercase values (for example, sha) can be used as well.
This option is used with the SNMPv3 protocol.
Type: | string |
Default: | empty string |
Description: The password used for authentication. If the auth-username() option is set but the auth-password() is empty, syslog-ng OSE will try to authenticate with an empty password.
This option is used with the SNMPv3 protocol.
Type: | string |
Default: | empty string |
Description: The username used to authenticate on the SNMP server. If this parameter is set, syslog-ng OSE will try to authenticate on the SNMP server.
This option is used with the SNMPv3 protocol.
Type: | string |
Default: | public |
Description: The community string used for SNMPv2c authentication.
This option is used with the SNMPv2c protocol.
Type: | AES|aes |
Default: | AES |
Description: The encryption method used to encrypt the SNMP traffic. Lowercase values (for example, aes) can be used as well.
This option is used with the SNMPv3 protocol.
Type: | string |
Default: |
Description: The password used for the encryption. Encryption is used only if the enc-password() is not empty.
This option is used with the SNMPv3 protocol.
Type: | number (hexadecimal number) |
Default: |
Description: The engine ID is a hexadecimal number at least 10 digits long, starting with 0x. For example 0xABABABABAB.
This option is a required parameter when using the SNMPv3 protocol.
Type: | number |
Default: | Use global setting. |
Description: The number of messages that the output queue can store.
Type: | <oid_of_the_object>, <type_of_the_object>, <value_of_the_object> |
Default: | n/a |
Description: The snmp-obj() option can be used to create custom SNMP trap elements. To create a trap element, specify the OID, type, and value of the element in the snmp-obj() option. To send SNMP traps, at least one snmp-obj() option must be defined. The snmp-obj() option requires the following parameters. Note that syslog-ng OSE does not validate the values of these elements.
<oid_of_the_object>: The object id of the SNMP object, for example, .1.3.6.1.4.1.18372.3.1.1.1.1.1.
<type_of_the_object>: The type of the object specified as an ASN.1 primitive. One of: Integer, Timeticks, Octetstring, Counter32, Ipaddress, Objectid. The type names are not case sensitive.
<value_of_the_object>: The value of the object as a string. The macros of syslog-ng OSE can be used to set these values, making it possible to transfer the content and other metadata from the the syslog message to the SNMP trap. Note that if the value of an Integer, Counter32 or Timeticks object is not a number (for example, is an empty string or other not-number string), syslog-ng OSE will automatically replace the value with 0. The values of other types of objects are not validated.
The following are SNMP object definitions:
snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.3', 'Ipaddress', '192.168.1.1')
snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.2', 'Octetstring', '${MESSAGE}')
Type: | name of the timezone, or the timezone offset |
Default: | unspecified |
Description: Convert timestamps to the timezone specified by this option. If this option is not set, then the original timezone information in the message is used. Converting the timezone changes the values of all date-related macros derived from the timestamp, for example, HOUR. For the complete list of such macros, see Date-related macros.
The timezone can be specified by using the name, for example, time-zone("Europe/Budapest")), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.
Type: | <oid_of_the_object>, "Objectid", <value_of_the_object> |
Default: | n/a |
Description: The trap-obj() is a specialized version of the snmp-obj() option that is used to identify the SNMP trap object. The type of the trap object is always Objectid. The <oid_of_the_object> and the <value_of_the_object> parameters are identical to the respective parameters of the snmp-obj() option. For details on these parameters, see snmp-obj().
|
NOTE:
Using the trap-obj() object is equivalent to using the snmp-obj() with the Objectid type. |
Type: | v2c|v3 |
Default: | v2c |
Description: Specifies which version of the SNMP protocol to use.
|
NOTE:
The syslog-ng OSE application will accept any valid option for the snmp() destination, but will only use the ones relevant to the selected protocol version, any other option will be ignored. For example, if the version("v2c") engine-id("0xABABABABAB") community("mycommunity") options are set, syslog-ng OSE will accept every option, but process only the community() option, because engine-id() applies only to SNMPv3. |
Although syslog-ng OSE currently does not have any built-in integration with Splunk, the existing message-formatting features and flexibility of syslog-ng OSE allows you to forward your log messages to Splunk. In syslog-ng OSE version
For details on forwarding log messages to Splunk with syslog-ng OSE see the following posts on the Splunk blog:
Note that the syslog-ng Premium Edition application has a dedicated Splunk destination. For details, see splunk-hec: Sending messages to Splunk HTTP Event Collector.
The sql() driver sends messages into an SQL database. Currently the Microsoft SQL (MSSQL), MySQL, Oracle, PostgreSQL, and SQLite databases are supported.
sql(database_type host_parameters database_parameters [options]);
The sql() driver has the following required parameters: type(), database(), table(), columns(), and values().
|
Caution:
The syslog-ng application requires read and write access to the SQL table, otherwise it cannot verify that the destination table exists. Currently the syslog-ng application has default schemas for the different databases and uses these defaults if the database schema (for example columns and column types) is not defined in the configuration file. However, these schemas will be deprecated and specifying the exact database schema will be required in later versions of syslog-ng. |
|
NOTE:
In addition to the standard syslog-ng packages, the sql() destination requires database-specific packages to be installed. These packages are automatically installed by the binary syslog-ng installer. |
The table and value parameters can include macros to create tables and columns dynamically (for details, see Macros of syslog-ng OSE).
|
Caution:
When using macros in table names, note that some databases limit the maximum allowed length of table names. Consult the documentation of the database for details. |
Inserting the records into the database is performed by a separate thread. The syslog-ng application automatically performs the escaping required to insert the messages into the database.
The following example sends the log messages into a PostgreSQL database running on the logserver host. The messages are inserted into the logs database, the name of the table includes the exact date and the name of the host sending the messages. The syslog-ng application automatically creates the required tables and columns, if the user account used to connect to the database has the required privileges.
destination d_sql { sql(type(pgsql) host("logserver") username("syslog-ng") password("password") database("logs") table("messages_${HOST}_${R_YEAR}${R_MONTH}${R_DAY}") columns("datetime", "host", "program", "pid", "message") values("{$R_DATE}", "${HOST}", "${PROGRAM}", "${PID}", "${MSGONLY}") indexes("datetime", "host", "program", "pid", "message")); };
The following example specifies the type of the database columns as well:
destination d_sql { sql(type(pgsql) host("logserver") username("syslog-ng") password("password") database("logs") table("messages_${HOST}_${R_YEAR}${R_MONTH}${R_DAY}") columns("datetime varchar(16)", "host varchar(32)", "program varchar(20)", "pid varchar(8)", "message varchar(200)") values("${R_DATE}", "${HOST}", "${PROGRAM}", "${PID}", "${MSGONLY}") indexes("datetime", "host", "program", "pid", "message")); };
The Oracle sql destination has some special aspects that are important to note.
The hostname of the database server is set in the tnsnames.ora file, not in the host parameter of the sql() destination.
If the tnsnames.ora file is not located in the /etc directory (or in the /var/opt/oracle directory on Solaris), set the following Oracle-related environment variables, so syslog-ng OSE will find the file: ORACLE_BASE, ORACLE_HOME, and ORACLE_SID. For details, see the documentation of the Oracle Instant Client.
You cannot use the same database() settings in more than one destination, because the database() option of the SQL driver is just a reference to the connection string of the tnsnames.ora file. To overcome this problem, you can duplicate the connections in the tnsnames.ora file under a different name, and use a different table in each Oracle destination in syslog-ng OSE.
As certain database versions limit the maximum length of table names, macros in the table names should be used with care.
In the current version of syslog-ng OSE, the types of database columns must be explicitly set for the Oracle destination. The column used to store the text part of the syslog messages should be able to store messages as long as the longest message permitted by syslog-ng, therefore it is usually recommended to use the varchar2 or clob column type. (The maximum length of the messages can be set using the log-msg-size() option.) For details, see the following example.
The Oracle Instant Client used by syslog-ng OSE supports only the following character sets:
Single-byte character sets: US7ASCII, WE8DEC, WE8MSWIN1252, and WE8ISO8859P1
Unicode character sets: UTF8, AL16UTF16, and AL32UTF8
The following example sends the log messages into an Oracle database running on the logserver host, which must be set in the /etc/tnsnames.ora file. The messages are inserted into the LOGS database, the name of the table includes the exact date when the messages were sent. The syslog-ng application automatically creates the required tables and columns, if the user account used to connect to the database has the required privileges.
destination d_sql { sql(type(oracle) username("syslog-ng") password("password") database("LOGS") table("msgs_${R_YEAR}${R_MONTH}${R_DAY}") columns("datetime varchar(16)", "host varchar(32)", "program varchar(32)", "pid varchar(8)", "message varchar2") values("${R_DATE}", "${HOST}", "${PROGRAM}", "${PID}", "${MSGONLY}") indexes("datetime", "host", "program", "pid", "message")); };
The Oracle Instant Client retrieves the address of the database server from the /etc/tnsnames.ora file. Edit or create this file as needed for your configuration. A sample is provided below.
LOGS = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) (HOST = logserver) (PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = EXAMPLE.SERVICE) ) )
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center