仅Syslog-ng转发原始日志 [英] Syslog-ng forward raw log only
问题描述
我一直在尝试使用syslog-ng将日志从防火墙转发到SIEM,但是问题是我只想转发原始的原始日志,而没有添加syslog-ng添加的标头.我有以下syslog-ng conf文件.
I have been trying to forward logs from a firewall to a SIEM using syslog-ng but the problem is that I want to forward only the original raw log without the added headers added by syslog-ng. I have the following syslog-ng conf file.
@version: 5.2
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-5.2- guides/en/syslog-ng-pe-v5.2-guide-admin/html-single/index.html
#
@include "scl.conf"
options {
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
};
source s_udp {
udp(ip(X.X.X.X)
flags(no-parse)
port(514));
};
######
#templates
template no_header {
template($MSG); template_escape(no);
};
######
#destinations
destination d_siem {x
syslog("X.X.X.X" port(514) template(no_header));
};
log { source(s_udp); destination(d_siem);};
通过上述操作,我已经设法删除了大部分syslog-ng的标头,但无法删除以下粗体字
With the above, I have managed to remove most of syslog-ng's headers but I cannot remove the following in bold
**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
Syslog-ng的文档指出:
Syslog-ng's documentation states that:
(由于$MSGHDR宏包含尾随空格,因此将$MSGHDR$MSG部分写在一起.)
(The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.)
如果在conf中将模板从$MSG更改为$MSGHDR,则在 SIEM 中收到的唯一内容如下:
If in my conf I change the template from $MSG to $MSGHDR the only thing I receive in the SIEM is the following:
531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -
但是再次,如果我再次使用$MSG或$MSGONLY或$MESSAGE,我会得到:
But again if I use $MSG or $MSGONLY or $MESSAGE again I get:
**531 <13>1 2015-03-03T17:35:12+04:00 X.X.X.X - - - -** <189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
我只希望syslog-ng转发的内容是
What I want syslog-ng to forward only is this:
<189>date=2015-03-03 time=05:27:43 devname=XXX-X-X device_id=XXXX log_id=XXXX type=XXX subtype=XXX pri=notice vd= src=X.X.X.X src_port=X src_int="XXX" dst=X.X.X.X dst_port=XXX dst_int="XXX" SN=XXXXX status=XXX policyid=X dst_country="XXXX" src_country="XXXX" dir_disp=XXX tran_disp=XXX tran_sip=X.X.X.X tran_sport=XXX service=XXX proto=X duration=XXX sent=XXX rcvd=XXX sent_pkt=XXX rcvd_pkt=XXX
我已经用尽了以下选项:
I've exhausted options such as:
options {
#keep-hostname(yes);
#chain-hostnames(no);
#use_fqdn(no);
#create_dirs(no);
#long_hostnames(off);
#flush_lines(0);
#use-dns(no);
#keep_timestamp(yes);
#flags(store-legacy-msghdr);
};
以上内容均无影响.
我在另一个论坛上读到,可以使用重写和设置将锁定(不可更改)变量的值放到其他变量中,然后 使用PCRE等编辑新变量的值,以仅包含所需数据,但是我不确定如何实现.
I've read in another forum that it is possible to use rewrites and sets to put the value of locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data but I'm not exactly sure how I can accomplish that.
有人可以帮上忙吗?
推荐答案
您应使用tcp()目标而不是syslog():
destination d_siem {
tcp("X.X.X.X" port(514) template(no_header));
};
syslog()用于RFC5424 syslog,tcp用于旧版.
The syslog() is for RFC5424 syslog, tcp is for legacy.
这篇关于仅Syslog-ng转发原始日志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
