Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.33 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng PE The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files google-pubsub: collecting messages from the Google Pub/Sub messaging service wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs mssql, oracle, sql: collecting messages from an SQL database network: Collecting messages using the RFC3164 protocol (network() driver) office365: Fetching logs from Office 365 osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6,udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol udp-balancer: Receiving UDP messages at very high rate unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2>: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files google_pubsub(): Sending logs to the Google Cloud Pub/Sub messaging service google_pubsub-managedaccount(): Sending logs to the Google Cloud Pub/Sub messaging service authenticated by Google Cloud managed service account hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP kafka(): Publishing messages to Apache Kafka (Java implementation) (DEPRECATED) kafka-c(): Publishing messages to Apache Kafka using the librdkafka client (C implementation) logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations sentinel(): Sending logs to the Microsoft Azure Sentinel cloud snmp: Sending SNMP traps smtp: Generating SMTP messages (email) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql(): Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transport Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Glossary

office365: Fetching logs from Office 365

Starting with syslog-ng PE version 7.0.17, you can fetch logs from your Office 365 account using the Office 365 Management Activity API.

The syslog-ng PE application supports every content type of the Management Activity API using a corresponding source driver:

  • Audit.AzureActiveDirectory: office365-azure-active-directory()

  • Audit.Exchange: office365-exchange()

  • Audit.General: office365-general()

  • Audit.SharePoint: office365-sharepoint()

  • DLP.All: office365-dlp()

Limitations
  • In some cases, the logs will appear only 24-48 hours after successfully configuring syslog-ng PE and Office 365.

  • Due to the distributed nature of the Office 365 log management architecture, there is a synchronization interval in the Office 365 Management Activity API. During this interval, the messages returned to queries can be inconsistent. To avoid this synchronization window, syslog-ng PE does not fetch the logs in real-time, only 15 minutes after the message becomes available in the management API. This means that there is a 15-minute latency between the logs available in the Office 365 Management Activity API and syslog-ng PE.

Declaration
source s_office365 {
    office365-<content-type>(
        tenant_id('tenant-id')
        client_id('client-id')
        client_secret('client-secret')
    );
};
Example: Fetching Azure Active Directory logs from Office 365

The following example configuration fetches logs from and Audit.AzureActiveDirectory subscription using the office365-azure-active-directory() source driver.

@version: 7.0
@include "scl.conf"

source s_o365_ad {
    office365-azure-active-directory(
        tenant_id('tenant-id')
        client_id('client-id')
        client_secret('client-secret')
    );
};

destination d_file { file("/tmp/o365_ad_out.log"); };

log {
    source(s_o365_ad);
    destination(d_file);
    flags(flow-control);
};

Configuring Office 365 to permit fetching logs

This procedure summarizes how to configure Office 365 to permit syslog-ng Premium Edition (syslog-ng PE) to fetch log messages using the Office 365 Management Activity API.

Prerequisites
  • A valid Office 365 account (for example: Azure Active Directory Premium P2).

  • Administrator permissions to the Office 365 account.

  • Content subscription must be enabled for the content types you want to fetch logs from.

  • syslog-ng Premium Edition version 7.0.15 or later.

  1. The syslog-ng PE application communicates with the Management Activity API through a service app registered in Azure. Complete the following steps to register a service app. For details on registering an app, see the Office 365 documentation.

    1. Login to https://portal.azure.com.

    2. Register a new web application (for example, syslog-service-app).

    3. Grant all application permissions and delegated permissions to the created app.

    4. Create secret (password) for the app. Record the password somewhere, as you will need it later to configure syslog-ng PE. If you set an expiration to the password, make sure to renew the password and update it in your syslog-ng PE configuration file before it expires.

    5. Alternatively: Add your client's certificate to the app's Certificates. Make sure to renew the certificate and update your syslog-ng PE configuration before the certificate expires.

      NOTE: Key and certificate pairs generated with client_server_auth extension do not work in certificate based authentication.

    6. In the authentication settings of the new app, enable Access Tokens.

  2. Enabling audit logging in Office 365. Note that your user must have an administrator permissions to enable audit logging. For details on enabling audit logging, see the Office 365 documentation. If you have problems enabling audit logging, see Troubleshooting audit logging in Office 365

  3. Start content subscriptions for the content types you want to fetch logs from using the following command. The office365subscriptiontool utility is automatically installed with syslog-ng PE version 7.0.15 and newer.

    %syslog-ng-installation-directory%/bin/office365subscriptiontool start --tenant-id=[your tenant-id] --client-id=[your client-id] --client-secret=[your client-secret in escaped format] --content-type=[content-type-to-fetch-logs-from]

    Note that special characters (for example, ?/*+!$) in the client secret must be escaped (according to the rules of escaping in bash/shell) when starting the content subscription.

    Here's an example for office365subscriptiontool utility in case of using certificate and key pair to authenticate instead of client secret:

    %syslog-ng-installation-directory%/bin/office365subscriptiontool start --tenant-id=[your tenant-id] --client-id=[your client-id] --client-key=[path to the client's private key] --client-cert=[path to the cert added to the service app] --content-type=[content-type-to-fetch-logs-from]

    In your syslog-ng PE configuration, you will have to use the source driver matching the content type of the content subscription. For example, use the office365-azure-active-directory() driver for the Audit.AzureActiveDirectory content type.

    Repeat this step for every content type you want to fetch logs from.

    NOTE: When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription.

office365() source options

The office365() drivers have the following options. The tenant-id(), client-id(), and client-secret() option is required, the others are optional.

client-id()
Type: string
Default:

Description: The ID of the service app. For details, see Configuring Office 365 to permit fetching logs.

client-secret()
Type: string
Default:

Description: The password of the service app. For details, see Configuring Office 365 to permit fetching logs.

If you set an expiration to the password, make sure to renew the password and update it in your syslog-ng PE configuration file before it expires.

NOTE: client-secret() and client-cert(), client-key() options are mutually exclusive, only one is accepted in the same source configuration.

client-cert()
Type: string
Default:

Description: The path to the certificate added to the service app. For details, see Configuring Office 365 to permit fetching logs.

Make sure to renew the certificate and update your syslog-ng PE configuration before the certificate expires.

NOTE: client-cert() and client-key() are both mandatory in case of certificate based authentication.

client-key()
Type: string
Default:

Description: The path to the private key belonging to the certificate which was added to the service app. For details, see Configuring Office 365 to permit fetching logs.

NOTE: client-cert() and client-key() are both mandatory in case of certificate based authentication.

fetch-no-data-delay()
Type: real number [seconds]
Default:

The value of time-reopen()

Description: When there are no messages available in a poll event, the Office 365 Management Activity API waits fetch-no-data-delay() seconds before the next poll.

NOTE: You can set the fetch-no-data-delay() value to fractions, for example:

fetch-no-data-delay(0.5)
persist-name()
Type: string
Default:

None

Description:If you receive the following error message during syslog-ng PE startup, set the persist-name() option of the duplicate drivers:

Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.

This error occurs if you use identical drivers in multiple sources, for example, if you configure two file sources to read from the same file. In this case, set the persist-name() of the drivers to a custom string, for example, persist-name("example-persist-name1").

tenant-id()
Type: string
Default:

Description: The ID of the Tenant that the Office 365 account belongs to.

time-reopen()
Accepted values: number [seconds]
Default: 60

Description: The time to wait in seconds before a dead connection is reestablished.

By default, this option uses the value set in the time-reopen() global option.

Troubleshooting audit logging in Office 365

If you have trouble with enabling audit logging in Office 365, complete the following steps.

  1. Login to https://protection.office.com/.

  2. Verify that the Search > Audit log search context is active. If it is not, execute the following commands from PowerShell:

    $ $UserCredential = Get-Credential
    # use your Azure account
    $ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    $ Import-PSSession $Session -DisableNameChecking
    $ Enable-OrganizationCustomization
    # Wait 4 hours
    $ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
    # Wait 1 hour
    $ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
    # Wait 1 hour
    $ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
    # Wait 1 hour
  3. Login to https://protection.office.com/ and check if there are audit logs under Search > Audit log search. Note that in some cases, the logs will appear only after 24-48 hours.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating