Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
You can add destinations into the if-else blocks
Chelapa
@chelapa
i forced all my containers to restart and deploy. i might have gotten it to work (maybe never picked up network) waiting for data to load
ooo if-else blocks. nice let me explore
oh darn, only in 3.24?
furiel
@furiel
It was introduced here: syslog-ng/syslog-ng#1856
from that I think
3.16 (maybe 3.15, I do not know if I need to substract from the tag or not)
image.png
Chelapa
@chelapa
Ok so tried network and also TCP as the destination and no messages are coming in at all. switched back to syslog and it works just fine =|
switched away from splunk (was testing ) , testing sumologic now and thinking i might stick with this. but cant get msgs incoming
Chelapa
@chelapa
trying the filter function out, if my sample data for example is SYSTEM (dummy data) 2018/09/05 12:40:15,012345678902,SYSTEM,url-filtering,0,2018/09/05 12:40:15,,upgrade-url-database-success,,0,0,general,informational,PAN-DB was upgraded to version 20170529.40084.,538241,0x8000000000000000 what should the filter be? match?
is SYSTEM a tag?
Chelapa
@chelapa
log { if { filter { message('type=SYSTEM') };
?
or better filter f_system { message('SYSTEM') }; and call the filter within the log /if block
or filter f_system { match("SYSTEM" value("MESSAGE")) };
furiel
@furiel
Personally, I would go with the message filter, because it is more readable than the match version.
Something like this:
@version: 3.26

log {
  source { example-msg-generator(num(1) template("...,SYSTEM,...")); };

  if (message("SYSTEM"))
    {
      destination { file(/dev/stdout template("matched\n") persist-name("1")); };
    }
  else
    {
      destination { file(/dev/stdout template("unmatched\n") persist-name("2")); };
    };
};
results in
$ timeout 1 ./syslog-ng -Fe -f ../etc/ifelse.conf 
[2020-03-24T10:24:12.139305] syslog-ng starting up; version='3.26.1.72.ged9e38e'
matched
[2020-03-24T10:24:13.116531] syslog-ng shutting down; version='3.26.1.72.ged9e38e'
$
Balazs Scheidler
@bazsi
@arnav-t To start a development project, it is always a good idea to compile syslog-ng and play with it: start it with a simple configuration and add new sources, destinations and connect them using log paths. Once you have a feel to how to run syslog-ng, try to read the project description and understand where the regexp-parser() would go in a configuration file. Create a few example configurations. Once you have these you can start understanding the project from the code/build point of view.
Raj Sahu
@rsahu001
i am a syslog-ng newbie, could someone point me to FAQ page, i see with client key, cert file are listed in #4 but in #2 serverkey.pem and servercerr.pem in client syslog-ng config @https://www.linux.com/training-tutorials/tls-encryption-and-mutual-authentication-using-syslog-ng-open-source-edition/#mutual-authentication-test
furiel
@furiel
@rsahu001 I do not know faq page, though it would be nice if syslog-ng had one. You can check out the admin guide: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/61#TOPIC-1298105
If you got stuck with the rehashing part, the freshly introduced ca-file() option might help you. It is so fresh that it is only available on master though, so you need to compile syslog-ng from source: syslog-ng/syslog-ng#3145. But with that, no rehashing needed. You can simply pass your ca file.
Fabien Wernli
@faxm0dem
Hi there
I want to catch multiline java stack traces sent via syslog:localhost:514/udp
I can never remember which protocols are supported for multi-line
is udp one of them?
sorry to ask here but the new documentation is so hard to search
furiel
@furiel
According to the code, me seems only file source and pipe source supports multi line.
Udp does not support it.
But udp shouldn't handle multi line messages by default?
I mean, if syslog-ng thinks one message per udp, and does not check other delimiter
Fabien Wernli
@faxm0dem
yes you're correct
I found it in the doc in the meantime
László Várady
@MrAnno
udp might handle multi-line messages if you send them within a single packet.
I'm sure that the syslog() driver (with TCP transport) handles multi-line too, because it uses a frame header to determine the message length.
furiel
@furiel
I quickly verified that @MrAnno mentioned, with netcat. udp receives the multi line in a single message.
Fabien Wernli
@faxm0dem
ok, I guess it's the logback library which is sending one packet per line
what do you suggest to configure logback to correctly send multiline using syslog?
currently we have:
furiel
@furiel
I am unfamiliar with logback, didn't find anything useful in its its documentation, but I found this:
This may be the functionality that you want?
furiel
@furiel
@chelapa in the next syslog-ng admin guide (for 3.27), we will improve the documentation with a complete if-else example (a slightly improved version that I showed a bit earlier). FYI: you can refer to that, once published.
Minor spoiler
image.png
Balazs Scheidler
@bazsi
GSoC applicants, please note the official deadline for proposals is today, so file your proposals on the official website.
Red Pill Factory
@alvinlee001
Hi, does anyone uses syslog-ng with ELK stack?
Balazs Scheidler
@bazsi
I do know about people but i am not sure they are around. What's your question?