syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, queueing, SQL & NoSQL.
cisco-parser supports the following format:
<pri>(sequence: )?(origin-id: )?(timestamp? timezone?: )?%msg
Hello @dvlsatya !
We are more than happy to receive contributions from the community! :)
At first I suggest to compile syslog-ng.
You have several options: you can use our docker-based infrastructure and then you don't have to setup a build environment on your computer.
Here is a short description about the usage the docker-based build system (dbld):
https://github.com/syslog-ng/syslog-ng/tree/master/dbld#hacking-on-syslog-ng-itself
What kind of contribution do you have in mind?
We are more than happy to receive contributions from the community! :)
At first I suggest to compile syslog-ng.
You have several options: you can use our docker-based infrastructure and then you don't have to setup a build environment on your computer.
Here is a short description about the usage the docker-based build system (dbld):
https://github.com/syslog-ng/syslog-ng/tree/master/dbld#hacking-on-syslog-ng-itself
What kind of contribution do you have in mind?
I just updated to debian/bullseye, and the latest syslog-ng-master says
`Required bison not found /home/fwernli/git/syslog-ng/build/lib/rewrite/rewrite-expr-grammar.y
I've got `bison (GNU Bison) 3.7.5
ah I see the warning now in the configure script that I need at least 3.7.6
back to yak shaving then
I have created a new syslog configuration file in /opt/syslog-ng/etc/conf.d.
I have created one source and destination file inside script /var/log/myfile.txt
For some reason i have changed the destination file to myfile1.txt inside the configuration and reloaded the config file.
Though i have deleted myfile.txt, still is it there and updated with the same data as myfile1 has. I have deleted myfile.txt multiple times but still creating. Could someone please help on this?
I have created one source and destination file inside script /var/log/myfile.txt
For some reason i have changed the destination file to myfile1.txt inside the configuration and reloaded the config file.
Though i have deleted myfile.txt, still is it there and updated with the same data as myfile1 has. I have deleted myfile.txt multiple times but still creating. Could someone please help on this?
Hi @deepulikesbru!
That sounds strange. Syslog-ng writes to the new file after the reload.
Can you share with us the actual config, please?
Does the old file (myfile.txt) have the same content like the new myfile1 file after it's been re-created? Does it have the old myfile.txt contents as well?
That sounds strange. Syslog-ng writes to the new file after the reload.
Can you share with us the actual config, please?
Does the old file (myfile.txt) have the same content like the new myfile1 file after it's been re-created? Does it have the old myfile.txt contents as well?
@gaborznagy I removed the config file and created with different file names again inside the config file with mytext2.txt and deleted myfile.txt and myfile1.txt before reloading. I did see the files myfile.txt and myfile1.txt again after some time. Why these files are creating again after sometime though i have deleted the files? What could be the issue? Does syslog has internally anything to clear the buffer ??
@deepulikesbru What syslog-ng version are you using?
A reload reinitializes the pipeline, so you should not see that file recreated if you previously removed that from the configuration, unless your configuration is invalid. In case the config is invalid, syslog-ng reverts back to the previous configuration.
A reload reinitializes the pipeline, so you should not see that file recreated if you previously removed that from the configuration, unless your configuration is invalid. In case the config is invalid, syslog-ng reverts back to the previous configuration.
source s_src {
file("/path/myapp.log"
follow-freq(10) );
};
template app_test_struc {
template("${DATE} | From ${HOST_FROM} | ${PRIORITY} | ${MSGHDR}${MSG}\n");
};
destination d_des {
file("/var/log/myfile2.txt" template(app_test_struc));
};
log {source(s_src); destination(d_des); };
@MrAnno @gaborznagy
Above is the config file, When i try to give another file name say myfile3 after some testing, the deleted files also exist in the /var/log along with newly created log myfile3.
Above is the config file, When i try to give another file name say myfile3 after some testing, the deleted files also exist in the /var/log along with newly created log myfile3.
The above command dont work in AIX
This channel is for the open-source edition of syslog-ng. Sorry, we can not support syslog-ng PE 6.0.21 here. AIX is a quite rare platform, please consider contacting the commercial support: https://support.oneidentity.com/syslog-ng-premium-edition/6.0.21
(/opt/syslog-ng/sbin/syslog-ng-ctl reload should probably work in this case)
@MrAnno while working on typing in PR #3831 I have a grammar conflict that I could resolve if plugin discovery would be required. Do you remember any case where plugin discovery was causing problems?
42 replies
Hi, I'm testing the grouping-by feature for ugly logs: Cisco ironport (3 ID uniq: mid, dcid, lcid). Syslog-ng configuration here: https://www.codepile.net/pile/RLB9KA26
The "context-values" function returns duplicates, I don't understand ? there is only one log that matches in patterndb. Ouptut logs:
Session completed >> "","","","","","",cold.wav,human.docx,do.mov,"","","","","","",do.mov mid_id:160681582 cip_icid: 298826272
Sure. sample here: https://pastebin.com/r98CCzFa patterndb here: https://pastebin.com/Sw96MuRb . It's my first patterndb, I might have made mistakes
This means that the context contains the entire transaction and not just the lines that contain attachment information. For some of your log entries the name of the attachment is empty.
If all you want is to filter out messages that have ${attachment} defined, you could do this:
$(filter ('$_' ne '') $(context-values ${attachment}))
Or, maybe even simpler to use the $(context-lookup) function that combines $(filter) and $(context-values), like this
I don't understand this quote @bazsi : "For some of your log entries the name of the attachment is empty." . In my log dump, I have only 2 logs with attachmnts: attachment 'try.odt' and attachment 'house.html' ? Why do I get this: " "","","","","","","",try.odt,house.html,"","","","",house.html" ? With the context-lookup, I have duplicates: try.odt,house.html,house.html
Ok, here's the thing: at aggregation time, a new synthetic message is created. This synthetic message is what gets emitted from the grouping-by() parser. So if you had 16 messages from the Ironport, you would have 17 messages in total: the original 16 + the one generated by syslog-ng. The goal of this synthetic message is to aggregate information from the previous 16 into just one. Since you have
inherit-mode("context") in your config, this new message would contain a union of all name-value pairs in your original messages. And this is what you can extend with additional name-value pairs within your aggregate() option.
This means, that the synthetic message would have
AGGR should-only-pass" name value pairs, since these are specified within aggregate().
Now, when the aggregation happens, the synthetic message becomes part of the context, so that your
value() options can reference the aggregated name-value pairs. This is how your AGGR template can use ${mid_id}, this name-value pair is "inherited" from the context.
I hope it is clear up to this point.
With that all said, your synthetic message at the top of the context contains the
${attachment} field, inherited from any original message that we have seen so far, but it's going to contain the last of these values.
$(context-lookup) iterates both the original messages and the synthetic one added on top, meaning house.html would be repeated.