syslog-ng Premium Edition 7.0.19 - Administration Guide

Summary of contents Target audience and prerequisites Products covered in this guide Summary of changes Acknowledgments

What syslog-ng is What syslog-ng is not Why is syslog-ng needed? What is new in syslog-ng Premium Edition 7? Who uses syslog-ng?

Public references of syslog-ng Premium Edition

Supported platforms

Certified packages

The concepts of syslog-ng

The philosophy of syslog-ng Logging with syslog-ng

The route of a log message in syslog-ng

Modes of operation

Client mode Relay mode Server mode

Global objects Timezones and daylight saving

How syslog-ng PE assigns timezone to the message A note on timezones and timestamps

Versions and releases of syslog-ng PE Licensing

License benefits Licensing model and modes of operation

GPL and LGPL licenses High availability support The structure of a log message

BSD-syslog or legacy-syslog messages IETF-syslog messages Enterprise-wide message model (EWMM)

Message representation in syslog-ng PE Structuring macros, metadata, and other value-pairs

Specifying data types in value-pairs

Things to consider when forwarding messages between syslog-ng PE hosts NFS file system for log files

Installing syslog-ng

Prerequisites to installing syslog-ng PE Security-enhanced Linux: grsecurity, SELinux Installing syslog-ng using the .run installer

Installing syslog-ng PE in client or relay mode Installing syslog-ng PE in server mode Installing syslog-ng PE without user-interaction

Installing syslog-ng PE on RPM-based platforms (Red Hat, SUSE, AIX) Using syslog-ng PE on SELinux Installing syslog-ng on Debian-based platforms Installing syslog-ng in Docker Upgrading syslog-ng PE

Upgrading from syslog-ng PE 7.0.x to version 7 Upgrading from syslog-ng PE 6.0.x to version 7 Upgrading syslog-ng PE to other package versions Upgrading from syslog-ng PE to syslog-ng OSE Upgrade from syslog-ng OSE to syslog-ng PE

Upgrading from syslog-ng OSE to syslog-ng PE

Upgrading from complete syslog-ng PE to client setup version of syslog-ng PE

Uninstalling syslog-ng PE Configuring Microsoft SQL Server to accept logs from syslog-ng

The syslog-ng PE quick-start guide

Configuring syslog-ng on client hosts Configuring syslog-ng on server hosts Configuring syslog-ng relays

Configuring syslog-ng on relay hosts How relaying log messages works

Managing and checking syslog-ng PE service on Linux

The syslog-ng PE configuration file

Location of the syslog-ng configuration file The configuration syntax in detail Notes about the configuration syntax Defining configuration objects inline Using channels in configuration objects Global and environmental variables Logging configuration changes Modules in syslog-ng PE

Loading modules

Managing complex syslog-ng configurations

Including configuration files Reusing configuration blocks Generating configuration blocks from a script

Python code in external files Logging from your Python code

Collecting log messages — sources and source drivers

How sources work default-network-drivers: Receive and parse common syslog messages

default-network-drivers() source options

internal: Collecting internal messages

internal() source options

file: Collecting messages from text files

Notes on reading kernel messages file() source options

wildcard-file: Collecting messages from multiple text files

wildcard-file() source options

linux-audit: Collecting messages from Linux audit logs

linux-audit() source options

network: Collecting messages using the RFC3164 protocol (network() driver)

network() source options

office365: Fetching logs from Office 365

Configuring Office 365 to permit fetching logs office365() source options Troubleshooting audit logging in Office 365

osquery: Collect and parse osquery result logs

osquery() source options

pipe: Collecting messages from named pipes

pipe() source options

program: Receiving messages from external applications

program() source options

python: writing server-style Python sources

Python LogMessage API python() and python-fetcher() source options

python-fetcher: writing fetcher-style Python sources

Python LogMessage API python() and python-fetcher() source options

snmptrap: Read Net-SNMP traps

snmptrap() source options

syslog: Collecting messages using the IETF syslog protocol (syslog() driver)

syslog() source options

system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage

systemd-journal() source options

systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol

tcp(), tcp6(), udp() and udp6() source options — OBSOLETE

Change an old source driver to the network() driver

udp-balancer: Receiving UDP messages at very high rate

udp-balancer() source options

unix-stream, unix-dgram: Collecting messages from UNIX domain sockets

unix-stream() and unix-dgram() source options

windowsevent: Collecting Windows event logs

windowsevent() source options

Sending and storing log messages — destinations and destination drivers

elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED)

Prerequisites How syslog-ng PE interacts with Elasticsearch Client modes Elasticsearch2 destination options (DEPRECATED)

elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector

Batch mode and load balancing elasticsearch-http destination options

file: Storing messages in plain-text files

file() destination options

hdfs: Storing messages on the Hadoop Distributed File System (HDFS)

Prerequisites How syslog-ng PE interacts with HDFS Storing messages with MapR-FS Kerberos authentication with syslog-ng hdfs() destination HDFS destination options

http: Posting messages over HTTP

Batch mode and load balancing HTTP destination options

kafka: Publishing messages to Apache Kafka

Prerequisites How syslog-ng PE interacts with Apache Kafka Kafka destination options

logstore: Storing messages in encrypted files

Displaying the contents of logstore files Journal files logstore() destination options

mongodb: Storing messages in a MongoDB database

How syslog-ng PE connects the MongoDB server mongodb() destination options

network: Sending messages to a remote log server using the RFC3164 protocol (network() driver)

network() destination options

pipe: Sending messages to named pipes

pipe() destination options

program: Sending messages to external applications

program() destination options

python: writing custom Python destinations

python() destination options

sentinel: Sending logs to the Microsoft Azure Sentinel cloud

Configuring the sentinel() destination to send logs to the Microsoft Azure Sentinel cloud

Getting the required credentials to configure syslog-ng PE as a Data Connector for Microsoft Azure Sentinel Log types

sentinel() destination options

smtp: Generating SMTP messages (email) from logs

smtp() destination options

splunk-hec: Sending messages to Splunk HTTP Event Collector

Batch mode and load balancing splunk-hec destination options

sql: Storing messages in an SQL database

Using the sql() driver with an Oracle database Using the sql() driver with a Microsoft SQL database The way syslog-ng interacts with the database

MySQL-specific interaction methods MsSQL-specific interaction methods

sql() destination options

stackdriver: Sending logs to the Google Stackdriver cloud

Configuring syslog-ng PE to send logs to Google Stackdriver stackdriver destination options

syslog: Sending messages to a remote logserver using the IETF-syslog protocol

syslog() destination options

syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers)

tcp(), tcp6(), udp(), and udp6() destination options

Change an old destination driver to the network() driver

unix-stream, unix-dgram: Sending messages to UNIX domain sockets

unix-stream() and unix-dgram() destination options

usertty: Sending messages to a user terminal — usertty() destination Client-side failover

Routing messages: log paths, flags, and filters

Log paths

Embedded log statements

Using embedded log statements

if-else-elif: Conditional expressions Junctions and channels Log path flags

Managing incoming and outgoing messages with flow-control

Flow-control and multiple destinations Configuring flow-control

Using the disk-buffer option and memory buffering

Enabling the reliable disk-buffer option Enabling the normal disk-buffer option How to get information about disk-buffer files

Useful information about disk-buffers Getting the list of disk-buffer files Getting status information of disk-buffer files Printing the content of disk-buffer files Orphan disk-buffer files

How to empty disk-buffer files Enabling memory buffering About disk queue files

Filters

Using filters Combining filters with boolean operators Comparing macro values in filters Using wildcards, special characters, and regular expressions in filters Tagging messages Filter functions

Dropping messages

Global options of syslog-ng PE

Configuring global syslog-ng options Global options

TLS-encrypted message transfer

Secure logging using TLS Encrypting log messages with TLS

Configuring TLS on the syslog-ng clients Configuring TLS on the syslog-ng server

Mutual authentication using TLS

Configuring TLS on the syslog-ng clients Configuring TLS on the syslog-ng server

Password-protected keys TLS options

Advanced Log Transfer Protocol

Logging using ALTP

How ALTP connections work Using ALTP in a client-relay-server scenario

ALTP options Examples for using ALTP

Reliability and minimizing the loss of log messages

Introduction Flow control, no disk-buffer option, no ALTP Flow control, normal disk-buffer option, no ALTP Flow control, reliable disk-buffer option, no ALTP Flow control, reliable disk-buffer option, ALTP Deciding which loss prevention mechanism to apply

Manipulating messages

Customizing message format using macros and templates

Formatting messages, filenames, directories, and tablenames Templates and macros Date-related macros Hard versus soft macros Macros of syslog-ng PE Using template functions Template functions of syslog-ng PE Modifying the on-the-wire message format

Modifying messages using rewrite rules

Replacing message parts Setting message fields to specific values Unsetting message fields Creating custom SDATA fields Setting multiple message fields to specific values Conditional rewrites

How conditional rewriting works

Anonymizing credit card numbers

Regular expressions

Types and options of regular expressions Optimizing regular expressions

parser: Parse and segment structured messages

Parsing syslog messages

Options of syslog-parser parsers

Parsing messages with comma-separated and similar values

Options of CSV parsers

Parsing key=value pairs

Options of key=value parsers

JSON parser

Options of JSON parsers

XML parser

Limitations of the XML parser Options of the XML parsers

Parsing dates and timestamps

Options of date-parser() parsers

Cisco Parser Linux audit parser

Options of linux-audit-parser() parsers

Python parser Parsing enterprise-wide message model (EWMM) messages Sudo parser iptables parser

Processing message content with a pattern database

Classifying log messages

The structure of the pattern database How pattern matching works Artificial ignorance

Using pattern databases

Using parser results in filters and templates Downloading sample pattern databases

Correlating log messages using pattern databases

Referencing earlier messages of the context

Triggering actions for identified messages

Conditional actions External actions Actions and message correlation

Creating pattern databases

Using pattern parsers

Pattern parsers of syslog-ng PE

What's new in the syslog-ng pattern database format V5 The syslog-ng pattern database format

Element: patterndb Element: ruleset Element: patterns Element: rules Element: rule Element: patterns Element: urls Element: values Element: examples Element: example Element: actions Element: action Element: create-context Element: tags

Correlating log messages

Correlating messages using the grouping-by() parser

Referencing earlier messages of the context Options of grouping-by parsers

Enriching log messages with external data

Adding metadata from an external file

Using filters as selector Options add-contextual-data()

Looking up GeoIP2 data from IP addresses

Options of geoip2 parsers

Monitoring statistics and metrics of syslog-ng

Metrics and counters of syslog-ng PE Log statistics from the internal() source The monitoring() source

monitoring() source options The monitoring-welf() source

Multithreading and scaling in syslog-ng PE

Multithreading concepts of syslog-ng PE Configuring multithreading Optimizing multithreaded performance

Troubleshooting syslog-ng

Possible causes of losing log messages Creating syslog-ng core files Collecting debugging information with strace, truss, or tusc Running a failure script Stopping syslog-ng Reporting bugs and finding help Error messages

Best practices and examples

General recommendations Handling large message load Using name resolution in syslog-ng

Resolving hostnames locally

Collecting logs from chroot Configuring log rotation

The syslog-ng manual pages

dqtool.1 lgstool.1 loggen.1 pdbtool.1 persist-tool.1 syslog-debun.1 syslog-ng-ctl.1 syslog-ng.8 syslog-ng.conf.5

Glossary

Printing the content of disk-buffer files

Routing messages: log paths, flags, and filters > Using the disk-buffer option and memory buffering > How to get information about disk-buffer files > Printing the content of disk-buffer files

This section describes printing the content of the disk-buffer files used in syslog-ng Premium Edition(syslog-ng PE).

Command syntax

The command syntax for printing the content of the disk-buffer files used in syslog-ng PE looks like this:

/opt/syslog-ng/bin/dqtool cat DISK_QUEUE_FILE

Short example output for printed content

Example: short output that shows the printed content of the disk-buffer files used in syslog-ng PE

The following short output example shows the printed content of the disk-buffer files used in syslog-ng PE:

/opt/syslog-ng/bin/dqtool cat /opt/syslog-ng/var/syslog-ng-00000.rqf

Reliable disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.rqf', queue_length='2952', size='-437712'
Jul 31 12:33:48.226 10.21.10.10 <382019-07-31T12:33:36 localhost prg00000[1234]: seq: 0000000838, thread: 0000, runid: 1564569216, stamp: 2019-07-31T12:33:36 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
...

Orphan disk-buffer files

Routing messages: log paths, flags, and filters > Using the disk-buffer option and memory buffering > How to get information about disk-buffer files > Orphan disk-buffer files

This section describes orphan disk-buffer files used in syslog-ng Premium Edition(syslog-ng PE).

In certain situations (for example, after modifying the disk-buffer configuration or losing the persist information), syslog-ng PE creates a new disk-buffer file instead of using the old one.

To discover these new disk-buffer files (also called orphan disk-buffer files), get the list of disk-buffer files from the persist file, and compare it with the content of the disk-buffer files' saving directory.

For more information about getting the list of disk-buffer files from the persist file, see Getting the list of disk-buffer files.

Discovering the new disk-buffer files (orphan disk-buffer files)

The following examples show the difference between the list of disk-buffer files from the persist file and the content of the disk-buffer files' saving directory:

Example: difference between the list of disk-buffer files from the persist file and the content of the disk-buffer files' saving directory

Disk-buffer file list from persist file:

afsocket_dd_qfile(stream,10.21.10.112:514) = { "queue_file": "/opt/syslog-ng/var/syslog-ng-00001.rqf" }

Disk-buffer files' saving directory content:

# ls -l /opt/syslog-ng/var/*qf
-rw------- 1 root root 2986780 Jul 31 12:30 /opt/syslog-ng/var/syslog-ng-00000.qf
-rw------- 1 root root 2000080 Jul 31 12:31 /opt/syslog-ng/var/syslog-ng-00000.rqf
-rw------- 1 root root    4096 Aug  1 11:09 /opt/syslog-ng/var/syslog-ng-00001.rqf

The disk-buffer files syslog-ng-00000.qf and syslog-ng-00000.rqf don't exist in the persist file. These two files are the newly created disk-buffer files that we also call orphan disk-buffer files.

How to empty disk-buffer files

Routing messages: log paths, flags, and filters > Using the disk-buffer option and memory buffering > How to empty disk-buffer files

This section describes how to empty disk-buffer files used in syslog-ng Premium Edition (syslog-ng PE).

Caution:

Hazard of data loss!

You must stop log reception to be able to empty a disk-buffer. If you fail to stop log reception before emptying a disk-buffer, your newly received log messages may get stored in the disk-buffer, overwriting your previous log messages. To avoid log loss, One Identity recommends that you redirect your logs to a different syslog server when emptying your disk-buffer files.

NOTE: Consider the following while reading this section:

This section uses a simple example configuration with one source and one destination with disk-buffer.

If you are not aware of disk-buffers or you're not sure which of your destinations use disk-buffer, One Identity recommends that you do not proceed with the procedure of emptying your disk-buffer files. Instead, One Identity recommends that you contact our Support Team and open a service request. When opening the service request, describe your issue and attach a collected debug bundle from your system.

For more information about collecting a debug bundle for Microsoft Windows, see How to create a syslog-ng debug bundle archive on Windows operating system.

For more information about collecting a debug bundle for Linux or Unix OS, see How to create a syslog-ng debug bundle on Linux Or Unix operating system.

Recommendation

One Identity recommends that you empty your disk-buffer files before you begin the following:

Upgrading syslog-ng Premium Edition (syslog-ng PE) from version 6 to 7.
Changing the configuration of a remote destination with disk-buffer.
Applying a solution that includes the removal of the syslog-ng PE persistent file.

Example configuration for emptying disk-buffer files

The syslog-ng PE application uses the following example configuration to describe how to empty disk-buffer files:

source s_net { 
    network(); 
};
destination d_logserver { 
    network("10.21.10.20" port(514) disk-buffer( disk-buf-size(2000000) ) );
};
log { 
    source(s_net);
    destination(d_logserver);
};

To empty disk-buffer files,

Name the disk-buffer file to empty and the destination statement using it.

If you are not sure about which disk-buffer file to empty, or the destination statement using the disk-buffer file in question, you can use one of the following methods:
- Check the list and the status of the disk-buffer files.
  Examples
  - Non-empty disk-buffer file
```
Disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.qf', qout_length='0', qbacklog_length='0', qoverflow_length='0', qdisk_length='3006'
```
  - IP:PORT information of the destination with the disk-buffer in use
```
afsocket_dd_qfile(stream,10.21.10.20:514) = { "queue_file": "/opt/syslog-ng/var/syslog-ng-00000.qf" }
```
  For more information about getting information about disk-buffer files, see Useful information about disk-buffers.
- Find the destination statement in the syslog-ng PE configuration using the IP:PORT information.
```
destination d_logserver { network("10.21.10.20" port(514) disk-buffer( disk-buf-size(2000000) ) ); };
```
Locate the log statements that use the destination statement you named previously.
Disable the sources in the log statements.

Add '#' at the beginning of all source() entries in the log paths.
```
log { 
#source(s_net);
 destination(d_logserver);
}
```
Reload syslog-ng PE by entering the /opt/syslog-ng/sbin/syslog-ng-ctl reload command.
Check the disk-buffer file status.

For more information, see Getting status information of disk-buffer files.
To enable the sources again, remove '#' from the log paths and reload syslog-ng PE.

Enabling memory buffering

Routing messages: log paths, flags, and filters > Using the disk-buffer option and memory buffering > Enabling memory buffering

To enable memory buffering, use the log-fifo-size() parameter in the destination. All destination drivers can use memory buffering. Use memory buffering if you want to send logs to destinations where the disk-buffer option is not available, if you want the fastest solution, and if syslog-ng PE crash or network downtime is never expected. In these cases, losing logs is possible. This solution does not use the disk-buffer option. Instead, logs are stored only in the memory.

Example: Example for using memory buffering

destination d_BSD {
    network(
            "127.0.0.1"
            port(3333)
            log-fifo-size(10000)
        );
};

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案