지금 지원 담당자와 채팅
지원 담당자와 채팅

syslog-ng Premium Edition 7.0.29 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng PE The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files google-pubsub: collecting messages from the Google Pub/Sub messaging service wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs mssql, oracle, sql: collecting messages from an SQL database network: Collecting messages using the RFC3164 protocol (network() driver) office365: Fetching logs from Office 365 osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol udp-balancer: Receiving UDP messages at very high rate unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files google_pubsub(): Sending logs to the Google Cloud Pub/Sub messaging service hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP without Java kafka(): Publishing messages to Apache Kafka (Java implementation) (DEPRECATED) kafka-c(): Publishing messages to Apache Kafka using the librdkafka client (C implementation) logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations sentinel(): Sending logs to the Microsoft Azure Sentinel cloud snmp: Sending SNMP traps smtp: Generating SMTP messages (email) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql(): Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transfer Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Glossary

Proxy Protocol: configuration and output examples

This section provides information about enabling Proxy Protocol support in your network() source options, and an example configuration and output to illustrate how the Proxy Protocol method works in syslog-ng Premium Edition (syslog-ng PE).

For more information about the working mechanism of the Proxy Protocol, see The working mechanism behind the Proxy Protocol.

Enabling Proxy Protocol support for your network() source options

Unless you enable Proxy Protocol support for your network() source, syslog-ng PE identifies every connection that is connected to the load balancers identically by default, regardless of the source IP or the source protocol.

To enable Proxy Protocol for your network() source, set the transport() parameter of your network() source to proxied_tcp or proxied_tls, depending on your preference and configuration.

When you enable Proxy Protocol support for your network() source, you can use the following configuration example with your syslog-ng PE application.

Configuration

The following code sample illustrates how you can use the Proxy Protocol in your syslog-ng PE configuration (using the transport() parameter set to proxied_tls).

@version: 3.30

source s_tcp_pp {
  network (
    port(6666)
    transport("proxied_tls")
    tls(
        key-file("/certs/certs/server/server.rsa")
        cert-file("/certs/certs/server/server.crt")
        ca-dir("/certs/certs/CA")
        peer-verify("required-trusted")
    )
  );
};

destination d_file {
  file("/var/log/proxy-proto.log" template("$(format-json --scope nv-pairs)\n"));
};

log {
  source(s_tcp_pp);
  destination(d_file);
};

With this configuration, the Proxy Protocol method will perform injecting the information of the original connection into the forwarded TCP session, based on the working mechanism described in The working mechanism behind the Proxy Protocol.

The following example illustrates how the parsed macros will appear in the output.

Example: Output for the PROXY TCP4 192.168.1.1 10.10.0.1 1111 2222 input header

With the PROXY TCP4 192.168.1.1 10.10.0.1 1111 2222 input header, the output looks like this:

{"SOURCE":"s_tcp_pp","PROXIED_SRCPORT":"1111","PROXIED_SRCIP":"192.168.1.1","PROXIED_IP_VERSION":"4","PROXIED_DSTPORT":"2222","PROXIED_DSTIP":"10.10.0.1","PROGRAM":"TestMsg","MESSAGE":"","LEGACY_MSGHDR":"TestMsg","HOST_FROM":"localhost","HOST":"localhost"}

Note that the macros that syslog-ng PE adds to the message appear in the output.

office365: Fetching logs from Office 365

Starting with syslog-ng PE version 7.0.17, you can fetch logs from your Office 365 account using the Office 365 Management Activity API.

The syslog-ng PE application supports every content type of the Management Activity API using a corresponding source driver:

  • Audit.AzureActiveDirectory: office365-azure-active-directory()

  • Audit.Exchange: office365-exchange()

  • Audit.General: office365-general()

  • Audit.SharePoint: office365-sharepoint()

  • DLP.All: office365-dlp()

Limitations

  • In some cases, the logs will appear only 24-48 hours after successfully configuring syslog-ng PE and Office 365.

  • Due to the distributed nature of the Office 365 log management architecture, there is a synchronization interval in the Office 365 Management Activity API. During this interval, the messages returned to queries can be inconsistent. To avoid this synchronization window, syslog-ng PE does not fetch the logs in real-time, only 15 minutes after the message becomes available in the management API. This means that there is a 15-minute latency between the logs available in the Office 365 Management Activity API and syslog-ng PE.

Declaration
source s_office365 {
    office365-<content-type>(
        tenant_id('tenant-id')
        client_id('client-id')
        client_secret('client-secret')
    );
};
Example: Fetching Azure Active Directory logs from Office 365

The following example configuration fetches logs from and Audit.AzureActiveDirectory subscription using the office365-azure-active-directory() source driver.

@version: 7.0
@include "scl.conf"

source s_o365_ad {
    office365-azure-active-directory(
        tenant_id('tenant-id')
        client_id('client-id')
        client_secret('client-secret')
    );
};

destination d_file { file("/tmp/o365_ad_out.log"); };

log {
    source(s_o365_ad);
    destination(d_file);
    flags(flow-control);
};

Configuring Office 365 to permit fetching logs

This procedure summarizes how to configure Office 365 to permit syslog-ng Premium Edition (syslog-ng PE) to fetch log messages using the Office 365 Management Activity API.

Prerequisites

  • A valid Office 365 account (for example: Azure Active Directory Premium P2).

  • Administrator permissions to the Office 365 account.

  • Content subscription must be enabled for the content types you want to fetch logs from.

  • syslog-ng Premium Edition version 7.0.15 or later.

  1. The syslog-ng PE application communicates with the Management Activity API through a service app registered in Azure. Complete the following steps to register a service app. For details on registering an app, see the Office 365 documentation.

    1. Login to https://portal.azure.com.

    2. Register a new web application (for example, syslog-service-app).

    3. Grant all application permissions and delegated permissions to the created app.

    4. Create secret (password) for the app. Record the password somewhere, as you will need it later to configure syslog-ng PE. If you set an expiration to the password, make sure to renew the password and update it in your syslog-ng PE configuration file before it expires.

    5. In the authentication settings of the new app, enable Access Tokens.

  2. Enabling audit logging in Office 365. Note that your user must have an administrator permissions to enable audit logging. For details on enabling audit logging, see the Office 365 documentation. If you have problems enabling audit logging, see Troubleshooting audit logging in Office 365

  3. Start content subscriptions for the content types you want to fetch logs from using the following command. The office365subscriptiontool utility is automatically installed with syslog-ng PE version 7.0.15 and newer.

    %syslog-ng-installation-directory%/bin/office365subscriptiontool start --tenant-id=[your tenant-id] --client-id=[your client-id] --client-secret=[your client-secret in escaped format] --content-type=[content-type-to-fetch-logs-from]

    Note that special characters (for example, ?/*+!$) in the client secret must be escaped (according to the rules of escaping in bash/shell) when starting the content subscription.

    In your syslog-ng PE configuration, you will have to use the source driver matching the content type of the content subscription. For example, use the office365-azure-active-directory() driver for the Audit.AzureActiveDirectory content type.

    Repeat this step for every content type you want to fetch logs from.

    NOTE: When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription.

office365() source options

The office365() drivers have the following options. The tenant-id(), client-id(), and client-secret() option is required, the others are optional.

client-id()
Type: string
Default:

Description: The ID of the service app. For details, see Configuring Office 365 to permit fetching logs.

client-secret()
Type: string
Default:

Description: The password of the service app. For details, see Configuring Office 365 to permit fetching logs.

If you set an expiration to the password, make sure to renew the password and update it in your syslog-ng PE configuration file before it expires.

fetch-no-data-delay()
Type: real number [seconds]
Default:

The value of time-reopen()

Description: When there are no messages available in a poll event, the Office 365 Management Activity API waits fetch-no-data-delay() seconds before the next poll.

NOTE: You can set the fetch-no-data-delay() value to fractions, for example:

fetch-no-data-delay(0.5)
persist-name()
Type: string
Default:

None

Description:If you receive the following error message during syslog-ng PE startup, set the persist-name() option of the duplicate drivers:

Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.

This error occurs if you use identical drivers in multiple sources, for example, if you configure two file sources to read from the same file. In this case, set the persist-name() of the drivers to a custom string, for example, persist-name("example-persist-name1").

tenant-id()
Type: string
Default:

Description: The ID of the Tenant that the Office 365 account belongs to.

time-reopen()
Accepted values: number [seconds]
Default: 60

Description: The time to wait in seconds before a dead connection is reestablished.

By default, this option uses the value set in the time-reopen() global option.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택