The nodejs() driver has the following options.
hook-commands()
Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.
NOTE: The syslog-ng OSE application must be able to start and restart the external program, and have the necessary permissions to do so. For example, if your host is running AppArmor or SELinux, you might have to modify your AppArmor or SELinux configuration to enable syslog-ng OSE to execute external applications.
Using the hook-commands() when syslog-ng OSE starts or stops
To execute an external program when syslog-ng OSE starts or stops, use the following options:
startup() |
Type: |
string |
Default: |
N/A |
Description: Defines the external program that is executed as syslog-ng OSE starts. |
shutdown() |
Type: |
string |
Default: |
N/A |
Description: Defines the external program that is executed as syslog-ng OSE stops. |
Using the hook-commands() when syslog-ng OSE reloads
To execute an external program when the syslog-ng OSE configuration is initiated or torn down, for example, on startup/shutdown or during a syslog-ng OSE reload, use the following options:
setup() |
Type: |
string |
Default: |
N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is initiated, for example, on startup or during a syslog-ng OSE reload. |
teardown() |
Type: |
string |
Default: |
N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is stopped or torn down, for example, on shutdown or during a syslog-ng OSE reload. |
Example: Using the hook-commands() with a network source
In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as syslog-ng OSE is started/stopped.
The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the syslog-ng OSE created rule is there, packets can flow, otherwise the port is closed.
source {
network(transport(udp)
hook-commands(
startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT")
shutdown("iptables -D LOGCHAIN 1")
)
);
};
ip() or localip()
Type: |
string |
Default: |
0.0.0.0 |
Description: The IP address to bind to. By default, syslog-ng OSE listens on every available interface. Note that this is not the address where messages are accepted from.
If you specify a multicast bind address and use the udp transport, syslog-ng OSE automatically joins the necessary multicast group. TCP does not support multicasting.
port() or localport()
Type: |
number |
Default: |
9003 |
Description: The port number to bind to.
Using the mbox() driver, syslog-ng OSE can read email messages from local mbox files, and convert them to multiline log messages.
This driver has only one required option, the filename of the mbox file. To use the mbox() driver, the scl.conf file must be included in your syslog-ng OSE configuration:
@include "scl.conf"
The mbox() driver is actually a reusable configuration snippet configured to read log messages using the file() driver. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of the configuration snippet on GitHub.
Example: Using the mbox() driver
The following example reads the emails of the root user on the syslog-ng OSE host.
@include "scl.conf"
source root-mbox {
mbox("/var/spool/mail/root");
};
The mbox() driver has the following option.
hook-commands()
Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.
NOTE: The syslog-ng OSE application must be able to start and restart the external program, and have the necessary permissions to do so. For example, if your host is running AppArmor or SELinux, you might have to modify your AppArmor or SELinux configuration to enable syslog-ng OSE to execute external applications.
Using the hook-commands() when syslog-ng OSE starts or stops
To execute an external program when syslog-ng OSE starts or stops, use the following options:
startup() |
Type: |
string |
Default: |
N/A |
Description: Defines the external program that is executed as syslog-ng OSE starts. |
shutdown() |
Type: |
string |
Default: |
N/A |
Description: Defines the external program that is executed as syslog-ng OSE stops. |
Using the hook-commands() when syslog-ng OSE reloads
To execute an external program when the syslog-ng OSE configuration is initiated or torn down, for example, on startup/shutdown or during a syslog-ng OSE reload, use the following options:
setup() |
Type: |
string |
Default: |
N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is initiated, for example, on startup or during a syslog-ng OSE reload. |
teardown() |
Type: |
string |
Default: |
N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is stopped or torn down, for example, on shutdown or during a syslog-ng OSE reload. |
Example: Using the hook-commands() with a network source
In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as syslog-ng OSE is started/stopped.
The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the syslog-ng OSE created rule is there, packets can flow, otherwise the port is closed.
source {
network(transport(udp)
hook-commands(
startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT")
shutdown("iptables -D LOGCHAIN 1")
)
);
};
The osquery application allows you to ask questions about your machine using an SQL-like language. For example, you can query running processes, logged in users, installed packages and syslog messages as well. You can make queries on demand, and also schedule them to run regularly.
The osquery() source of syslog-ng OSE allows you read the results of periodical osquery queries (from the /var/log/osquery/osqueryd.results.log file) and automatically parse the messages (if you want to use syslog-ng OSE to send log messages to osquery, read this blogpost). For example, you can:
-
Create filters from the fields of the messages.
-
Limit which fields to store, or create additional fields (combine multiple fields into one field, and so on).
-
Send the messages to a central location, for example, to Elasticsearch, directly from syslog-ng OSE.
The syslog-ng OSE application automatically adds the .osquery. prefix to the name of the fields the extracted from the message.
The osquery() source is available in syslog-ng OSE version 3.10 and later.
Prerequisites:
-
To use the osquery() driver, the scl.conf file must be included in your syslog-ng OSE configuration:
@include "scl.conf"
-
syslog-ng OSE must be compiled with JSON-support enabled.
The osquery() driver is actually a reusable configuration snippet configured to read the osquery log file using the file() driver, and process its JSON contents. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub.
Example: Using the osquery() driver with the default settings
The following syslog-ng OSE configuration sample uses the default settings of the driver, reading osquery result logs from the /var/log/osquery/osqueryd.results.log file, and writes the log messages generated from the traps into a file.
@version: 3.10
@include "scl.conf"
source s_osquery {
osquery();
};
log {
source(s_osquery);
destination {
file("/var/log/example.log");
};
};
Filter for messages related to loading Linux kernel modules:
@version: 3.10
@include "scl.conf"
source s_osquery {
osquery();
};
log {
source(s_osquery);
filter f_modules {
"${.osquery.name}" eq "pack_incident-response_kernel_modules"
};
destination {
file("/var/log/example.log");
};
};
Example: Using the osquery() driver with custom configuration
The following syslog-ng OSE configuration sample reads osquery result logs from the /tmp/osquery_input.log file, and writes the log messages generated from the traps into a file. Using the format-json template, the outgoing message will be a well-formed JSON message.
Input message:
{"name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost","calendarTime":"Fri Jul 21 10:04:41 2017 UTC","unixTime":"1500631481","decorations":{"host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332","username":"myuser"},"columns":{"build_distro":"xenial","build_platform":"ubuntu","config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee","config_valid":"1","counter":"4","extensions":"active","instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d","pid":"19764","resident_size":"26416000","start_time":"1500629552","system_time":"223","user_time":"476","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332","version":"2.5.0","watcher":"19762"},"action":"added"}
syslog-ng OSE configuration:
@version: 3.10
@include "scl.conf"
source s_osquery {
osquery(
file(/tmp/osquery_input.log)
prefix(.osquery.)
);
};
destination d_file {
file(
"/tmp/output.txt"
template("$(format_json --key .osquery.*)\n")
);
};
log {
source(s_osquery);
destination(d_file);
flags(flow-control);
};
Outgoing message:
Outgoing message; message='{"_osquery":{"unixTime":"1500631481","name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost","decorations":{"username":"myuser","host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332"},"columns":{"watcher":"19762","version":"2.5.0","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332","user_time":"476","system_time":"223","start_time":"1500629552","resident_size":"26416000","pid":"19764","instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d","extensions":"active","counter":"4","config_valid":"1","config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee","build_platform":"ubuntu","build_distro":"xenial"},"calendarTime":"Fri Jul 21 10:04:41 2017 UTC","action":"added"}}\x0a'
To configure a destination to send the log messages to Elasticsearch, see elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED). For other destinations, see destination: Forward, send, and store log messages.