Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.17 - Administration Guide

Preface Chapter 1. Introduction to syslog-ng Chapter 2. The concepts of syslog-ng Chapter 3. Installing syslog-ng Chapter 4. The syslog-ng PE quick-start guide Chapter 5. The syslog-ng PE configuration file Chapter 6. Collecting log messages — sources and source drivers Chapter 7. Sending and storing log messages — destinations and destination drivers Chapter 8. Routing messages: log paths, reliability, and filters Chapter 9. Global options of syslog-ng PE Chapter 10. TLS-encrypted message transfer Chapter 11. FIPS-compliant syslog-ng Chapter 12.  Reliable Log Transfer Protocol™ Chapter 13. Reliability and minimizing the loss of log messages Chapter 14. Manipulating messages Chapter 15. Parsing and segmenting structured messages Chapter 16. Processing message content with a pattern database Chapter 17. Statistics and metrics of syslog-ng Chapter 18. Multithreading and scaling in syslog-ng PE Chapter 19. Troubleshooting syslog-ng Chapter 20. Best practices and examples

lgstool

Name

lgstool — Inspect and validate the binary log files (logstores) created with syslog-ng Premium Edition

Synopsis

lgstool [command] [options]

Description

NOTE: The lgstool application is distributed with the syslog-ng Premium Edition system logging application, and is usually part of the syslog-ng package. The latest version of the syslog-ng application is available at the syslog-ng page. The lgstool utility is available for Microsoft Windows operating systems at the syslog-ng Downloads page.

This manual page is only an abstract, for the complete documentation of syslog-ng, see the syslog-ng Documentation page.

The lgstool application is a utility that can be used to:

  • Display and format the messages stored in logstore files

  • Display the record structure of logstore files

  • Process log messages from orphaned journal files and write them into logstore files

  • Follow (tail) messages arriving to a logstore file real-time

  • Validate the digital signature and timestamp of encrypted logstore files

Note that in the Windows-version of lgstool the recover option is not available and the functionality of the tail option is limited.

The cat command

cat [options] [file]

Use the cat command to display the log messages stored in the logstore file. Log messages available in the journal file of the logstore (but not yet written to the logstore file itself) are displayed as well. The messages are printed to the standard output (stdout), so it is possible to use grep and other tools to find particular log messages, e.g., lgstool cat /var/log/messages.lgs |grep 192.168.1.1. Note that can also follow logstore files — for details on this feature, see the section called “The tail command”.

The cat command has the following options:

--debug or -d

Print diagnostic and debugging messages to stderr.

--filter<expression> or -i

Only print messages matching the specified syslog-ng PE filter. All possible macros, regular expressions and logical expressions can be specified in a filter.

Example A.1. lgstool cat filter

lgstool cat  -t 'host: ${HOST} program: ${PROGRAM} msg: ${MSG}\n' --filter='program("prg0000[0]")' /tmp/logstore-serialized.lgs

--help or -h

Display a brief help message.

--key=<keyfile> or -k

Use the specified private key to decrypt encrypted logstore files.

--seek=<ID> or -s

Display only messages newer than the message specified.

--template=<template> or -t

Format the messages using the specified template.

--verbose or -v

Print verbose messages to stderr.

--version or -V

Display version information.

Example:

lgstool cat --key=mykey.pem mylogstore.lgs

The inspect command

inspect [options] [file]

Use the inspect command to display structure of the logstore file. The following information is displayed:

  • cipher: The cipher algorithm used to encrypt the logstore file.

  • digest: The digest (hash) algorithm used.

  • encrypt: TRUE if the logstore file is encrypted.

  • compress: TRUE if the logstore file is compressed.

  • hmac: TRUE if the logstore file includes HMAC (Hash-based Message Authentication Code) information for the chunks.

  • chunk_mac: The MAC (Message Authentication Code) of the chunk.

  • file_mac: The MAC (Message Authentication Code) of the chunk.

For timestamped logstore files, the following information is also displayed:

  • chunk_id: The ID of the chunk.

  • Version: The version of the logstore file format used.

  • Policy OID: The OID of the timestamping policy used in the timestamping request.

  • Hash Algorithm: The digest (hash) algorithm used to create the hash of the chunk.

  • Serial number: The serial number of the timestamp.

  • Timestamp: The date when the Timestamping Authority timestamped the chunk.

  • Accuracy: The accuracy of the timestamp.

  • Ordering: Indicates the status of the ordering field in the timestamping request.

  • Nonce: The nonce (a large random number with a high probability that it is generated by the client only once) included in the timestamping request (if any).

  • TSA: The Distinguished Name (DN) of the Timestamping Authority.

The inspect command has the following options:

--debug or -d

Print diagnostic and debugging messages to stderr.

--help or -h

Display a brief help message.

--key=<keyfile> or -k

Use the specified private key to decrypt encrypted logstore files.

--verbose or -v

Print verbose messages to stderr.

--version or -V

Display version information.

Example:

lgstool inspect --key=mykey.pem mylogstore.lgs

A sample output looks like this:

XFRM_INFO @941
    cipher: aes-128-cbc
    digest: sha1
CHUNK 0@1079: [1 - 1000]:
    encrypt: TRUE
    compress: TRUE
    hmac: TRUE
    chunk_mac: e4d5d813979cf865d5ae4624f7aa98047123cd52
    file_mac: 6600600ca5befb002a73b15be8f0ac04973d5936
TIMESTAMP @36481:
    chunk_id: 0
    Status info:
    Status: Granted.
    Status description: unspecified
    Failure info: unspecified
    TST info:
    Version: 1
    Policy OID: 1.2.3.4
    Hash Algorithm: sha1
    Message data:
        0000 - 66 00 60 0c a5 be fb 00-2a 73 b1 5b e8 f0 ac 04 f.`.....*s.[....
        0010 - 97 3d 59 36                                       .=Y6
    Serial number: 0x029A
    Time stamp: Mar 19 13:48:57 2010 GMT
    Accuracy: 0x01 seconds, 0x01F4 millis, 0x64 micros
    Ordering: no
    Nonce: 0xB613F55AEFFA6DC0
    TSA: unspecified
    Extensions:

The recover command

recover [options] [file]

Caution:

Do NOT use the lgstool recover command on logstore files that are actively used by syslog-ng PE. It might lead to data loss. Always stop syslog-ng PE first.

Use the recover command can process and correct broken logstore files. It can also process orphaned journal files and move their contents to the respective logstore file. Encrypted, compressed, and timestamped logstore files can be recovered as well — the private key of the logstore is not needed to recover encrypted logstore files (recovering the encrypted file does not give access to its contents). Note that the recover option is not available in the Windows-version of lgstool.

Caution:

The lgstool application cannot fetch timestamps to the chunks (message blocks), so chunks recovered with lgstool are not timestamped (the internal timestamp of the syslog messages is included in the messages).

The recover command is available in syslog-ng Premium Edition 3.2 and later, and has the following options:

--compress-level or -c

Set the level of compression when processing a journal file into a compressed logstore. Default value: 3

--debug or -d

Print diagnostic and debugging messages to stderr.

--help or -h

Display a brief help message.

--verbose or -v

Print verbose messages to stderr.

--version or -V

Display version information.

Example:

lgstool recover mylogstore.lgs

The tail command

tail [options] [file]

Use the tail -f command to follow the contents of a logstore file like the traditional tail command does on Linux/UNIX systems. The messages are printed to the standard output (stdout). Contents of the journal file related to the logstore file are displayed as well.

The tail command is available in syslog-ng Premium Edition 3.2 and later, and has the following options. Note that in the Windows-version of lgstool the tail -f option is not available.

--debug or -d

Print diagnostic and debugging messages to stderr.

--help or -h

Display a brief help message.

--filter=<expression> or -i

Only print messages matching the specified syslog-ng PE filter. All possible macros, regular expressions and logical expressions can be specified in a filter.

Example A.2. lgstool tail filter

lgstool tail  -t 'host: ${HOST} program: ${PROGRAM} msg: ${MSG}\n' --filter='program("prg0000[0]")' /tmp/logstore-serialized.lgs

--follow or -f

Follow mode: display messages as they arrive into the logstore.

--key=<keyfile> or -k

Use the specified private key to decrypt encrypted logstore files.

--lines=<N> or -n

Display the last N lines of the logstore file instead of the last 10. Alternatively, use +N to display lines starting with the Nth.

--sleep_interval=<seconds> or -s

Number of seconds to wait before displaying new messages in follow mode.

--template=<template> or -t

Format the messages using the specified template.

--verbose or -v

Print verbose messages to stderr.

--version or -V

Display version information.

Example:

lgstool tail -f -n=20 --key=mykey.pem mylogstore.lgs

The validate command

validate [options] [file]

Use the validate command to validate the signatures and timestamps of a logstore file. The validate command has the following options:

--ca-dir=<directory> or -C

The directory that stores the certificates of the trusted Certificate Authorities. Use this option if the timestamps of your logstore files were signed with certificates belonging to different Certificate Authorities.

--ca-dir-layout=<md5|sha1>

The type of the hash used for the CA certificates. The default value (md5) is expected to change to sha1 in subsequent releases of syslog-ng PE.

--ca-file=<file> or -P

A file that stores the certificate of the trusted Certificate Authority. Use this option if the timestamps of your logstore files were signed with a single certificate, or if every such certificate belongs to the same Certificate Authority.

--crl-dir=<directory> or -R

The directory that stores the Certificate Revocation Lists of the trusted Certificate Authorities.

--debug or -d

Print diagnostic and debugging messages to stderr.

--help or -h

Display a brief help message.

--key=<keyfile> or -k

Use the specified private key to decrypt encrypted logstore files.

--require-ts or -T

Consider the logstore file invalid unless the entire file is protected by a valid timestamp.

--seed or -S

Use the ~/.rnd file or the file specified in the $RANDFILE environmental variable as seed. This is needed only on platforms that do not have a /dev/random device (for example, Solaris) and the entropy gathering daemon egd application is not installed on the system.

--ts-name=<name> or -D

Consider the logstore file invalid unless the timestamps are signed by the specified Timestamping Authority. Specify the Distinguished Name (DN) of the Timestamping Authority.

--verbose or -v

Print verbose messages to stderr.

--version or -V

Display version information.

By default, the lgstool validate command checks only the checksum of the file. Use the --require-ts option to validate the timestamps as well. THe digital signature of the timestamps is checked only if the --ca-dir or the --ca-file parameter is set.

Example:

lgstool validate --key=mykey.pem --ca-file=mycacert.pem --ts-name=MYTSA mylogstore.lgs

The reindex command

reindex [options] [file]

The reindex command is an experimental, currently unsupported tool. Do not attempt to use it unless your syslog-ng PE support team explicitly instructs you to do so.

Files

/opt/syslog-ng/bin/lgstool

See also

syslog-ng.conf(5)

syslog-ng(8)

NOTE:

For the detailed documentation of syslog-ng PE see the syslog-ng Documentation page

If you experience any problems or need help with syslog-ng, visit the syslog-ng FAQ or the syslog-ng mailing list.

For news and notifications about of syslog-ng, visit the syslog-ng Blog.

Author

This manual page was written by the One Identity Documentation Team <documentation@balabit.com>.

Copyright

Copyright© 2000-2018One Identity. Published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. For details, see https://creativecommons.org//. The latest version is always available at the syslog-ng Documentation page.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating