Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 10:43

    OverOrion on master

    afuser: Fix line buffer overrun… afuser: Fix ut_user buffer over… Merge pull request #4064 from d… (compare)

  • 10:43
    OverOrion closed #4064
  • 08:56
    OverOrion commented #4059
  • 08:29
    alltilla labeled #4069
  • 08:29
    alltilla opened #4069
  • 08:24
    zdyxry starred syslog-ng/syslog-ng
  • 07:32
    dkl synchronize #4064
  • 06:25
    OverOrion review_requested #4064
  • 06:23
    OverOrion review_requested #4067
  • 02:43
    chaosannals starred syslog-ng/syslog-ng
  • 02:14
    andras-tim starred syslog-ng/syslog-ng
  • Jul 05 14:27
    MrAnno review_requested #4022
  • Jul 05 14:23
    MrAnno review_requested #4051
  • Jul 05 14:22
    MrAnno review_requested #4053
  • Jul 05 09:27
    OverOrion commented #4068
  • Jul 05 09:00
    OverOrion edited #4068
  • Jul 05 08:48
    OverOrion synchronize #4068
  • Jul 05 07:13
    luikore starred syslog-ng/syslog-ng
  • Jul 04 22:44
    kira-syslogng commented #4054
  • Jul 04 22:17
    MrAnno synchronize #4054
Fabien Wernli
@faxm0dem
if that doesn't give you any more clues, use the debug mode
syslog-ng -evdf /etc/syslog-ng/syslog-ng.conf
Gábor Nagy
@gaborznagy
Hi @svestenik What @faxm0dem suggested is a good idea: you need to know where is your message dropped.
Since you have a relatively simple log path with two destinations and a parser, I suspect the message is dropped in the p_cisco cisco-parser.
Cisco parser drops the message if it's format doesn't match a supported cisco format.
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.33/administration-guide/79#TOPIC-1663463
Ohh, sorry, you already figured that out...
Fabien Wernli
@faxm0dem
svestenik: you can also send us an example out of your raw log so we can check on our side
Gábor Nagy
@gaborznagy
We need to see what kind of messages are dropped by the cisco-parser. Can you show us an example, please?
17 replies
cisco-parser supports the following format:
<pri>(sequence: )?(origin-id: )?(timestamp? timezone?: )?%msg
dvlsatya
@dvlsatya
i want to contribute to your oragnization.what is the procedure to setup your project .what should i follow?
Gábor Nagy
@gaborznagy
Hello @dvlsatya !
We are more than happy to receive contributions from the community! :)
At first I suggest to compile syslog-ng.
You have several options: you can use our docker-based infrastructure and then you don't have to setup a build environment on your computer.
Here is a short description about the usage the docker-based build system (dbld):
https://github.com/syslog-ng/syslog-ng/tree/master/dbld#hacking-on-syslog-ng-itself
What kind of contribution do you have in mind?
kartiks26
@kartiks26
Where can i find open issue or fields open for contribution
1 reply
Fabien Wernli
@faxm0dem
o/
I just updated to debian/bullseye, and the latest syslog-ng-master says `Required bison not found /home/fwernli/git/syslog-ng/build/lib/rewrite/rewrite-expr-grammar.y
I've got `bison (GNU Bison) 3.7.5
ah I see the warning now in the configure script that I need at least 3.7.6
back to yak shaving then
Fabien Wernli
@faxm0dem
That one's been fun
deepulikesbru
@deepulikesbru
I have created a new syslog configuration file in /opt/syslog-ng/etc/conf.d.
I have created one source and destination file inside script /var/log/myfile.txt
For some reason i have changed the destination file to myfile1.txt inside the configuration and reloaded the config file.
Though i have deleted myfile.txt, still is it there and updated with the same data as myfile1 has. I have deleted myfile.txt multiple times but still creating. Could someone please help on this?
Gábor Nagy
@gaborznagy
Hi @deepulikesbru!
That sounds strange. Syslog-ng writes to the new file after the reload.
Can you share with us the actual config, please?
Does the old file (myfile.txt) have the same content like the new myfile1 file after it's been re-created? Does it have the old myfile.txt contents as well?
deepulikesbru
@deepulikesbru
I cant share the contents of those files.
@gaborznagy I removed the config file and created with different file names again inside the config file with mytext2.txt and deleted myfile.txt and myfile1.txt before reloading. I did see the files myfile.txt and myfile1.txt again after some time. Why these files are creating again after sometime though i have deleted the files? What could be the issue? Does syslog has internally anything to clear the buffer ??
László Várady
@MrAnno
@deepulikesbru What syslog-ng version are you using?
A reload reinitializes the pipeline, so you should not see that file recreated if you previously removed that from the configuration, unless your configuration is invalid. In case the config is invalid, syslog-ng reverts back to the previous configuration.
deepulikesbru
@deepulikesbru

source s_src {
file("/path/myapp.log"
follow-freq(10) );

};

template app_test_struc {
template("${DATE} | From ${HOST_FROM} | ${PRIORITY} | ${MSGHDR}${MSG}\n");
};

destination d_des {
file("/var/log/myfile2.txt" template(app_test_struc));
};

log {source(s_src); destination(d_des); };

@MrAnno @gaborznagy
Above is the config file, When i try to give another file name say myfile3 after some testing, the deleted files also exist in the /var/log along with newly created log myfile3.
Gábor Nagy
@gaborznagy
@deepulikesbru Thanks for sharing the config!
The above config looks okay, but maybe your config is inavlid, as @MrAnno suggested it. Check it with a syslog-ng --syntax-only please.
What kind of syslog-ng do you use? Can you share us a syslog-ng -V output, please?
deepulikesbru
@deepulikesbru
Could @gaborznagy @MrAnno you please provide me the steps to reload the syslog configuration file properly? Thanks in advance
1 reply
deepulikesbru
@deepulikesbru
6.0.21 version AIX OS
The above command dont work in AIX
László Várady
@MrAnno

This channel is for the open-source edition of syslog-ng. Sorry, we can not support syslog-ng PE 6.0.21 here. AIX is a quite rare platform, please consider contacting the commercial support: https://support.oneidentity.com/syslog-ng-premium-edition/6.0.21

(/opt/syslog-ng/sbin/syslog-ng-ctl reload should probably work in this case)

deepulikesbru
@deepulikesbru
Thank you @MrAnno for your time on this. I will contact them.
Balazs Scheidler
@bazsi
@MrAnno while working on typing in PR #3831 I have a grammar conflict that I could resolve if plugin discovery would be required. Do you remember any case where plugin discovery was causing problems?
42 replies
arteta22000
@arteta22000
Hi, I'm testing the grouping-by feature for ugly logs: Cisco ironport (3 ID uniq: mid, dcid, lcid). Syslog-ng configuration here: https://www.codepile.net/pile/RLB9KA26
The "context-values" function returns duplicates, I don't understand ? there is only one log that matches in patterndb. Ouptut logs: Session completed >> "","","","","","",cold.wav,human.docx,do.mov,"","","","","","",do.mov mid_id:160681582 cip_icid: 298826272
Balazs Scheidler
@bazsi
Can you also publish sample messages?
arteta22000
@arteta22000
Sure. sample here: https://pastebin.com/r98CCzFa patterndb here: https://pastebin.com/Sw96MuRb . It's my first patterndb, I might have made mistakes
Balazs Scheidler
@bazsi
Thanks. I'll look into it
arteta22000
@arteta22000
Hi @bazsi , I've tried to reproduce my issue ?
Balazs Scheidler
@bazsi
15 of your 17 input lines do match the patterndb
Balazs Scheidler
@bazsi
So all the lines end up in your correlation context which have a ${mid_id} value
This means that the context contains the entire transaction and not just the lines that contain attachment information. For some of your log entries the name of the attachment is empty.
If all you want is to filter out messages that have ${attachment} defined, you could do this:
$(filter ('$_' ne '') $(context-values ${attachment}))
Or, maybe even simpler to use the $(context-lookup) function that combines $(filter) and $(context-values), like this
Balazs Scheidler
@bazsi
$(context-lookup ('$attachment' ne '') ${attachment})
Balazs Scheidler
@bazsi
@arteta22000 did ^^^ help?
arteta22000
@arteta22000
I don't understand this quote @bazsi : "For some of your log entries the name of the attachment is empty." . In my log dump, I have only 2 logs with attachmnts: attachment 'try.odt' and attachment 'house.html' ? Why do I get this: " "","","","","","","",try.odt,house.html,"","","","",house.html" ? With the context-lookup, I have duplicates: try.odt,house.html,house.html
Balazs Scheidler
@bazsi
let me check...
Balazs Scheidler
@bazsi
Ok, here's the thing: at aggregation time, a new synthetic message is created. This synthetic message is what gets emitted from the grouping-by() parser. So if you had 16 messages from the Ironport, you would have 17 messages in total: the original 16 + the one generated by syslog-ng. The goal of this synthetic message is to aggregate information from the previous 16 into just one. Since you have inherit-mode("context") in your config, this new message would contain a union of all name-value pairs in your original messages. And this is what you can extend with additional name-value pairs within your aggregate() option.
This means, that the synthetic message would have AGGR should-only-pass" name value pairs, since these are specified within aggregate().
Now, when the aggregation happens, the synthetic message becomes part of the context, so that your value() options can reference the aggregated name-value pairs. This is how your AGGR template can use ${mid_id}, this name-value pair is "inherited" from the context.
I hope it is clear up to this point.