The unix-stream() and unix-dgram() drivers open an AF_UNIX socket and start listening on it for messages. The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost), while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded.
To avoid denial of service attacks when using connection-oriented protocols, the number of simultaneously accepted connections should be limited. This can be achieved using the max-connections() parameter. The default value of this parameter is quite strict, you might have to increase it on a busy system.
Both unix-stream and unix-dgram have a single required argument that specifies the filename of the socket to create. For the list of available optional parameters, see unix-stream() and unix-dgram() source options
unix-stream(filename [options]); unix-dgram(filename [options]);
|
NOTE:
syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem. On Linux you can choose to use whichever driver you like as syslog clients automatically detect the socket type being used. |
source s_stream { unix-stream("/dev/log" max-connections(10)); };
source s_dgram { unix-dgram("/var/run/log"); };
Event log messages collected by the Windows Event Collector for syslog-ng PE use this special source. To collect Windows event log messages, include this source in one of your source statements.
The Windows Event Collector tool for syslog-ng PE collects the log messages of Windows-based hosts in Unix datagram sockets, and then forwards them to a syslog-ng PE server over HTTPS (using TLS encryption and mutual authentication). syslog-ng PE reads the log messages using the windowsevent() source, and then parses the logs into key-value paris using the XML parser.
The XML parser uses the list-handling functionality to handle lists in the XML. Note that you cannot disable the list-handling functionality for the windowsevent() source.
For more information, see Windows Event Collector Administration Guide.
source s_wec { windowsevent( prefix(".windowsevent.") unix-domain-socket("`syslog-ng-root`/var/run/wec.sock") ); };
Starting with version 7.0.13, the syslog-ng PE windowsevent() source can process XML arrays and make the elements of the arrays available as name-value pairs. For example, the following XML array becomes available as name-value pairs:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <EventID>5059</EventID> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">WIN-K1678A68SQ6$</Data> </EventData>
From the previous example, the following name-value pairs become available: ${Event.System.EventID} (5059), ${Event.EventData.SubjectUserSid} (S-1-5-18), ${Event.EventData.SubjectUserName} (WIN-K1678A68SQ6$).
|
NOTE:
The name-value pairs are only created from EventData.Data xml paths, that is, only for <Data> tags that are the children of an <EventData> tag and have the Name attribute. If the array-like structure is not a Data tag under EventData tag, or it misses the Name attribute, then the regular XML-parser logic is used. |
The windowsevent() driver has the following options:
Type: | string |
Default: | ".windowsevent." |
Description: The prefix that you wish to append to the key-value pairs.
If you want to send Windows event logs to SDATA, then set prefix(".SDATA."). This can be useful, for example, when you forward Windows event logs to a syslog-ng Store Box.
Type: | string |
Default: | /opt/syslog-ng/var/run/wec.sock |
Description: The path to the Unix domain socket to read messages from.
A destination is where a log message is sent if the filtering rules match. Similarly to sources, destinations consist of one or more drivers, each defining where and how messages are sent.
|
TIP:
If no drivers are defined for a destination, all messages sent to the destination are discarded. This is equivalent to omitting the destination from the log statement. |
To define a destination, add a destination statement to the syslog-ng configuration file using the following syntax.
destination <identifier> { destination-driver(params); destination-driver(params); ... };
The following destination statement sends messages to the TCP port 1999 of the 10.1.2.3 host.
destination d_demo_tcp { network("10.1.2.3" port(1999)); };
If name resolution is configured, you can use the hostname of the target server as well.
destination d_tcp { network("target_host" port(1999)); };
|
Caution:
|
The following table lists the destination drivers available in syslog-ng PE.
Name | Description |
---|---|
elasticsearch-http() | Sends messages to an Elasticsearch server over HTTP using its REST API. |
file() | Writes messages to the specified file. |
graphite() | Sends metrics to a Graphite server to store numeric time-series data. |
hdfs() | Sends messages into a file on a Hadoop Distributed File System (HDFS) or MapR-FS node. |
http() | Sends messages over the HTTP protocol. |
kafka() | Publishes log messages to the Apache Kafka message bus, where subscribers can access them. |
logstore() | Writes messages securely into encrypted, compressed, and timestamped binary files. |
mongodb() | Sends messages to a MongoDB database. |
network() | Sends messages to a remote host using the BSD-syslog protocol over IPv4 and IPv6. Supports the TCP, UDP, ALTP, and TLS network protocols. |
pipe() | Writes messages to the specified named pipe. |
program() | Forks and launches the specified program, and sends messages to its standard input. |
python() | Send messages to a custom destination written in Python. |
smtp() | Sends e-mail messages to the specified recipients. |
splunk-hec() | Forward your log messages to Splunk. |
sql() | Sends messages into an SQL database. In addition to the standard syslog-ng packages, the sql() destination requires database-specific packages to be installed. Refer to the section appropriate for your platform in Installing syslog-ng. |
syslog() | Sends messages to the specified remote host using the IETF-syslog protocol. The IETF standard supports message transport using the UDP, TCP, and TLS networking protocols. |
syslog-ng() | The syslog-ng() destination driver forwards log messages to another syslog-ng node in EWMM format. |
unix-dgram() | Sends messages to the specified unix socket in SOCK_DGRAM style (BSD). |
unix-stream() | Sends messages to the specified unix socket in SOCK_STREAM style (Linux). |
usertty() | Sends messages to the terminal of the specified user, if the user is logged in. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy