diff --git a/_includes/head.html b/_includes/head.html index b238cd33..b2bc64cc 100644 --- a/_includes/head.html +++ b/_includes/head.html @@ -13,6 +13,7 @@ {% include globals.html %} {% include skins.html %} + diff --git a/_plugins/log.rb b/_plugins/log.rb new file mode 100644 index 00000000..d06d2352 --- /dev/null +++ b/_plugins/log.rb @@ -0,0 +1,25 @@ +require "cgi" + +# Liquid block to render log excerpts +# +# {% log %} +# New lines are preserved. +# Long lines will be wrapped when displayed on screen. +# {% endlog %} +# +# Will be rendered in the browser to: +# +# |<--------- screen size --------->| +# | New lines are preserved. | +# | Long lines will be wrapped when | +# | displayed on screen. | +class LogBlock < Liquid::Block + def render(context) + output = '
' + output << CGI.escapeHTML(super.strip).gsub(/\n[[:blank:]]*/, "
") + output << "
" + output + end +end + +Liquid::Template.register_tag("log", LogBlock) diff --git a/assets/css/log.scss b/assets/css/log.scss new file mode 100644 index 00000000..2e123416 --- /dev/null +++ b/assets/css/log.scss @@ -0,0 +1,12 @@ +--- +search: false +toc: false +--- + +@import "minimal-mistakes/variables"; + +blockquote.log { + text-indent: 2em hanging each-line; + font-family: $monospace; + white-space: pre-wrap; +} diff --git a/doc/_admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages.md b/doc/_admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages.md index eb8ecec4..6c1cc15c 100644 --- a/doc/_admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages.md +++ b/doc/_admin-guide/020_The_concepts_of_syslog-ng/007_The_structure_of_a_log_message/002_EWMM_messages.md @@ -21,9 +21,9 @@ on the receiver side. The following is a sample log message in EWMM format. -><13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - ->{"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on ->/dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% log %} +<13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - {"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on /dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% endlog %} The message has the following parts: diff --git a/doc/_admin-guide/040_Quick-start_guide/003_Managing_and_checking_syslog-ng_OSE_service_on_Linux.md b/doc/_admin-guide/040_Quick-start_guide/003_Managing_and_checking_syslog-ng_OSE_service_on_Linux.md index 6a9380dd..76de52bb 100644 --- a/doc/_admin-guide/040_Quick-start_guide/003_Managing_and_checking_syslog-ng_OSE_service_on_Linux.md +++ b/doc/_admin-guide/040_Quick-start_guide/003_Managing_and_checking_syslog-ng_OSE_service_on_Linux.md @@ -71,29 +71,33 @@ To check the status of {{ site.product.short_name }} service - **active (running)** - {{ site.product.short_name }} service is up and running - Example: {{ site.product.short_name }} service active - - > syslog-ng.service - System Logger Daemon - > Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) - > Active: active (running) since Tue 2019-06-25 08:58:09 CEST; 5s ago - > Main PID: 6575 (syslog-ng) - > Tasks: 3 - > Memory: 13.3M - > CPU: 268ms - > CGroup: /system.slice/syslog-ng.service - > 6575 /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core + Example: {{ site.product.short_name }} service active + + {% log %} + syslog-ng.service - System Logger Daemon + Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) + Active: active (running) since Tue 2019-06-25 08:58:09 CEST; 5s ago + Main PID: 6575 (syslog-ng) + Tasks: 3 + Memory: 13.3M + CPU: 268ms + CGroup: /system.slice/syslog-ng.service + 6575 /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core + {% endlog %} - **inactive (dead)** - syslog-ng service is stopped Example: {{ site.product.short_name }} status inactive - > syslog-ng.service - System Logger Daemon - > Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) - > Active: inactive (dead) since Tue 2019-06-25 09:14:16 CEST; 2min 18s ago - > Process: 6575 ExecStart=/opt/syslog-ng/sbin/syslog-ng -F --no-caps --enable-core $SYSLOGNG_OPTIONS(code=exited, status=0/SUCCESS) - > Main PID: 6575 (code=exited, status=0/SUCCESS) - > Status: "Shutting down... Tue Jun 25 09:14:16 2019" - > Jun 25 09:14:31 as-syslog-srv systemd: Stopped System Logger Daemon. + {% log %} + syslog-ng.service - System Logger Daemon + Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) + Active: inactive (dead) since Tue 2019-06-25 09:14:16 CEST; 2min 18s ago + Process: 6575 ExecStart=/opt/syslog-ng/sbin/syslog-ng -F --no-caps --enable-core $SYSLOGNG_OPTIONS(code=exited, status=0/SUCCESS) + Main PID: 6575 (code=exited, status=0/SUCCESS) + Status: "Shutting down... Tue Jun 25 09:14:16 2019" + Jun 25 09:14:31 as-syslog-srv systemd: Stopped System Logger Daemon. + {% endlog %} ### Checking the process of {{ site.product.short_name }} @@ -105,10 +109,10 @@ ps u `pidof syslog-ng` Expected output example: -> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND -> -> syslogng 6709 0.0 0.6 308680 13432 ? Ss 09:17 0:00 -> /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core +{% log %} +USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND +syslogng 6709 0.0 0.6 308680 13432 ? Ss 09:17 0:00 /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core +{% endlog %} ```bash ps axu | grep syslog-ng | grep -v grep @@ -116,8 +120,9 @@ ps axu | grep syslog-ng | grep -v grep Expected output example: -> syslogng 6709 0.0 0.6 308680 13432 ? Ss 09:17 0:00 -> /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core +{% log %} +syslogng 6709 0.0 0.6 308680 13432 ? Ss 09:17 0:00 /opt/syslog-ng/libexec/syslog-ng -F --no-caps --enable-core +{% endlog %} ### Checking the internal logs of {{ site.product.short_name }}** @@ -154,10 +159,11 @@ If the numbers are changing, {{ site.product.short_name }} is processing the mes Example: output example -> Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep -> ^center Tue Jun 25 10:33:25 2019 -> center;;queued;a;processed;112 -> center;;received;a;processed;28 +{% log %} +Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep ^center Tue Jun 25 10:33:25 2019 +center;;queued;a;processed;112 +center;;received;a;processed;28 +{% endlog %} ### Source statistics @@ -173,11 +179,12 @@ If the numbers are changing, {{ site.product.short_name }} is receiving messages Example: output example -> Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep -> ^source Tue Jun 25 10:40:50 2019 -> source;s_null;;a;processed;0 -> source;s_net;;a;processed;0 -> source;s_local;;a;processed;90 +{% log %} +Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep ^source Tue Jun 25 10:40:50 2019 +source;s_null;;a;processed;0 +source;s_net;;a;processed;0 +source;s_local;;a;processed;90 +{% endlog %} ### Destination statistics @@ -193,12 +200,13 @@ If the numbers are changing, {{ site.product.short_name }} is receiving messages Example: output example -> Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep -> ^destination Tue Jun 25 10:41:02 2019 -> destination;d_logserver2;;a;processed;90 -> destination;d_messages;;a;processed;180 -> destination;d_logserver;;a;processed;90 -> destination;d_null;;a;processed;0 +{% log %} +Every 2.0s: /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep ^destination Tue Jun 25 10:41:02 2019 +destination;d_logserver2;;a;processed;90 +destination;d_messages;;a;processed;180 +destination;d_logserver;;a;processed;90 +destination;d_null;;a;processed;0 +{% endlog %} **NOTE:** If you find error messages in the internal logs, messages are not processed by {{ site.product.short_name }} or you encounter any issue, you have the diff --git a/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/000_Proxy_protocol_working_mechanism.md b/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/000_Proxy_protocol_working_mechanism.md index 7d11c585..1cd02fd5 100644 --- a/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/000_Proxy_protocol_working_mechanism.md +++ b/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/000_Proxy_protocol_working_mechanism.md @@ -21,18 +21,19 @@ macros to every message the comes through the connection later on: - PROXY_DSTPORT (the destination port of the proxy) ->**NOTE:** Consider the following about macros and headers: -> +>**NOTE:** Consider the following about macros and headers: +> >- When the proxy protocol header is PROXY UNKNOWN, no additional macros are added. -> +> >- When {{ site.product.short_name }} cannot parse a proxy protocol header, the connection is closed: -> -> [2020-11-20T17:33:22.189458] PROXY protocol header received; line='PROXYdsfj' -> [2020-11-20T17:33:22.189475] Error parsing PROXY protocol header; -> [2020-11-20T17:33:22.189517] Syslog connection closed; fd='13', -> client='AF_INET(127.0.0.1:51665)', local='AF_INET(0.0.0.0:6666)' -> [2020-11-20T17:33:22.189546] Freeing PROXY protocol source driver; driver='0x7fffcba5bcf0' +> +> {% log %} +> [2020-11-20T17:33:22.189458] PROXY protocol header received; line='PROXYdsfj' +> [2020-11-20T17:33:22.189475] Error parsing PROXY protocol header; +> [2020-11-20T17:33:22.189517] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:51665)', local='AF_INET(0.0.0.0:6666)' +> [2020-11-20T17:33:22.189546] Freeing PROXY protocol source driver; driver='0x7fffcba5bcf0' > [2020-11-20T17:33:22.189600] Closing log transport fd; fd='13' +> {% endlog %} {: .notice--info} **NOTE:** Since the driver only implements version 1 of the protocol, it diff --git a/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/001_Proxy_protocol_configuration.md b/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/001_Proxy_protocol_configuration.md index fe582c70..6fdd3bd8 100644 --- a/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/001_Proxy_protocol_configuration.md +++ b/doc/_admin-guide/060_Sources/070_Network/001_Proxy_protocol_support/001_Proxy_protocol_configuration.md @@ -76,9 +76,8 @@ the output. With the PROXY TCP4 192.168.1.1 10.10.0.1 1111 2222 input header, the output looks like this: -> {"SOURCE":"s_tcp_pp","PROXIED_SRCPORT":"1111","PROXIED_SRCIP":"192.168.1.1", ->"PROXIED_IP_VERSION":"4","PROXIED_DSTPORT":"2222","PROXIED_DSTIP":"10.10.0.1", ->"PROGRAM":"TestMsg","MESSAGE":"","LEGACY_MSGHDR":"TestMsg", ->"HOST_FROM":"localhost","HOST":"localhost"} +{% log %} +{"SOURCE":"s_tcp_pp","PROXIED_SRCPORT":"1111","PROXIED_SRCIP":"192.168.1.1", "PROXIED_IP_VERSION":"4","PROXIED_DSTPORT":"2222","PROXIED_DSTIP":"10.10.0.1", "PROGRAM":"TestMsg","MESSAGE":"","LEGACY_MSGHDR":"TestMsg", "HOST_FROM":"localhost","HOST":"localhost"} +{% endlog %} Note that the macros that {{ site.product.short_name }} adds to the message appear in the output. diff --git a/doc/_admin-guide/060_Sources/102_osquery/README.md b/doc/_admin-guide/060_Sources/102_osquery/README.md index 0fc398e8..1ddcb5ae 100644 --- a/doc/_admin-guide/060_Sources/102_osquery/README.md +++ b/doc/_admin-guide/060_Sources/102_osquery/README.md @@ -14,7 +14,7 @@ The osquery() source of {{ site.product.short_name }} allows you read the result periodical osquery queries (from the /var/log/osquery/osqueryd.results.log file) and automatically parse the messages (if you want to use {{ site.product.short_name }} to send log messages to -osquery, read this blogpost). +osquery, read this blogpost). For example, you can: @@ -100,16 +100,9 @@ the outgoing message will be a well-formed JSON message. #### Input message ->{"name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost", ->"calendarTime":"Fri Jul 21 10:04:41 2017 >UTC","unixTime":"1500631481", ->"decorations":{"host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", ->"username":"myuser"},>"columns":{"build_distro":"xenial", ->"build_platform":"ubuntu",>"config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee", ->"config_valid":"1","counter":"4","extensions":"active", ->"instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d","pid":"19764", ->"resident_size":"26416000",>"start_time":"1500629552","system_time":"223", ->"user_time":"476","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", ->"version":"2.5.0","watcher":"19762"},"action":"added"} +{% log %} +{"name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost", "calendarTime":"Fri Jul 21 10:04:41 2017 >UTC","unixTime":"1500631481", "decorations":{"host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", "username":"myuser"},>"columns":{"build_distro":"xenial", "build_platform":"ubuntu",>"config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee", "config_valid":"1","counter":"4","extensions":"active", "instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d","pid":"19764", "resident_size":"26416000",>"start_time":"1500629552","system_time":"223", "user_time":"476","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", "version":"2.5.0","watcher":"19762"},"action":"added"} +{% endlog %} #### {{ site.product.short_name }} configuration @@ -138,16 +131,8 @@ log { #### Outgoing message ->Outgoing message; message='{"_osquery":{"unixTime":"1500631481", ->"name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost", ->"decorations":{"username":"myuser","host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332"}, ->"columns":{"watcher":"19762","version":"2.5.0","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", ->"user_time":"476","system_time":"223","start_time":"1500629552", ->"resident_size":"26416000","pid":"19764","instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d", ->"extensions":"active","counter":"4","config_valid":"1", ->"config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee","build_platform":"ubuntu", ->"build_distro":"xenial"},"calendarTime":"Fri Jul 21 10:04:41 2017 UTC","action":"added"}}\x0a' +> Outgoing message; message='{"_osquery":{"unixTime":"1500631481", "name":"pack_osquery-monitoring_osquery_info","hostIdentifier":"testhost", "decorations":{"username":"myuser","host_uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332"}, "columns":{"watcher":"19762","version":"2.5.0","uuid":"4C4C4544-004D-3610-8043-C2C04F4D3332", "user_time":"476","system_time":"223","start_time":"1500629552", "resident_size":"26416000","pid":"19764","instance_id":"d0c3eb0d-f8e0-4bea-868b-18a2c61b438d", "extensions":"active","counter":"4","config_valid":"1", "config_hash":"43cd1c6a7d0c283e21e026a53e619b2e582e94ee","build_platform":"ubuntu", "build_distro":"xenial"},"calendarTime":"Fri Jul 21 10:04:41 2017 UTC","action":"added"}}\x0a' To configure a destination to send the log messages to Elasticsearch, -see elasticsearch-http: Sending messages to Elasticsearch HTTP Bulk API. +see elasticsearch-http: Sending messages to Elasticsearch HTTP Bulk API. For other destinations, see destination: Forward, send, and store log messages. diff --git a/doc/_admin-guide/060_Sources/140_Python/001_Python_logmessage_API.md b/doc/_admin-guide/060_Sources/140_Python/001_Python_logmessage_API.md index 2ac20f9f..eaa538a4 100644 --- a/doc/_admin-guide/060_Sources/140_Python/001_Python_logmessage_API.md +++ b/doc/_admin-guide/060_Sources/140_Python/001_Python_logmessage_API.md @@ -64,11 +64,13 @@ set in the message, and uses the IP address of the {{ site.product.short_name }} the hostname (to use the hostname instead of the IP address, set the use-dns() or use-fqdn() options in the Python source). ->msg_ietf = LogMessage.parse('<165>1 2003-10-11T22:14:15.003Z mymachine.example.com ->evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] ->An application event log entry', self.parse_options) ->msg_bsd = LogMessage.parse('<34>Oct 11 22:14:15 mymachine su: \'su root\' failed for ->lonvick on /dev/pts/8', self.parse_options) +```python +msg_ietf = LogMessage.parse('<165>1 2003-10-11T22:14:15.003Z mymachine.example.com \ +evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] \ +An application event log entry', self.parse_options) +msg_bsd = LogMessage.parse('<34>Oct 11 22:14:15 mymachine su: \'su root\' failed for \ +lonvick on /dev/pts/8', self.parse_options) +``` ## set_pri() method diff --git a/doc/_admin-guide/060_Sources/155_stdin/README.md b/doc/_admin-guide/060_Sources/155_stdin/README.md index b7c7ff12..20c86921 100644 --- a/doc/_admin-guide/060_Sources/155_stdin/README.md +++ b/doc/_admin-guide/060_Sources/155_stdin/README.md @@ -35,6 +35,8 @@ used to collect a test message: $ echo "this is a test message" | ./syslog-ng -Fe --no-caps ``` -> [2017-11-14T13:47:16.757938] syslog-ng starting up; version='3.12.1' -> [2017-11-14T13:47:16.758195] syslog-ng shutting down; version='3.12.1' -> Nov 14 13:47:16 testserver this is a test message +{% log %} +[2017-11-14T13:47:16.757938] syslog-ng starting up; version='3.12.1' +[2017-11-14T13:47:16.758195] syslog-ng shutting down; version='3.12.1' +Nov 14 13:47:16 testserver this is a test message +{% endlog %} diff --git a/doc/_admin-guide/070_Destinations/310_syslog-ng/README.md b/doc/_admin-guide/070_Destinations/310_syslog-ng/README.md index 2d7f7ebb..70642137 100644 --- a/doc/_admin-guide/070_Destinations/310_syslog-ng/README.md +++ b/doc/_admin-guide/070_Destinations/310_syslog-ng/README.md @@ -28,9 +28,9 @@ to properly handle the messages. The following is a sample log message in EWMM format. -> <13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - -> {"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on -> /dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% log %} +<13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - {"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on /dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% endlog %} **Declaration** diff --git a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/002_List.md b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/002_List.md index e8bc2abe..02911fbf 100644 --- a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/002_List.md +++ b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/002_List.md @@ -20,10 +20,14 @@ The following command will list the disk-buffer files in use: The example output will look like the following: -> afsocket_dd_qfile(stream,10.21.10.20:601) ==> /opt/syslog-ng/var/syslog-ng-00000.rqf - -**NOTE:** If you receive the following error message instead of the example -output, install a vim-common package on your system: -{: .notice--info} +{% log %} + afsocket_dd_qfile(stream,10.21.10.20:601) ==> /opt/syslog-ng/var/syslog-ng-00000.rqf +{% endlog %} +> **NOTE:** If you receive the following error message instead of the example +> output, install a vim-common package on your system: +> +> {% log %} > xxd: command not found +> {% endlog %} +{: .notice--info} diff --git a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/003_Content.md b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/003_Content.md index 407e27c3..fd6a5e31 100644 --- a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/003_Content.md +++ b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/003_Content.md @@ -24,9 +24,11 @@ disk-buffer files used in {{ site.product.short_name }}: dqtool cat /opt/syslog-ng/var/syslog-ng-00000.rqf ``` ->Reliable disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.rqf', ->queue_length='2952', size='-437712' ->Jul 31 12:33:48.226 10.21.10.10 <382019-07-31T12:33:36 localhost prg00000[1234]: ->seq: 0000000838, thread: 0000, runid: 1564569216, stamp: 2019-07-31T12:33:36 ->PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD ->... +{% log %} +Reliable disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.rqf', +queue_length='2952', size='-437712' +Jul 31 12:33:48.226 10.21.10.10 <382019-07-31T12:33:36 localhost prg00000[1234]: +seq: 0000000838, thread: 0000, runid: 1564569216, stamp: 2019-07-31T12:33:36 +PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD +... +{% endlog %} diff --git a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/005_How_to_process_orphan_diskbuffer.md b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/005_How_to_process_orphan_diskbuffer.md index cd104ac9..52d321f4 100644 --- a/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/005_How_to_process_orphan_diskbuffer.md +++ b/doc/_admin-guide/080_Log/020_Buffering/003_How_to_get_information/005_How_to_process_orphan_diskbuffer.md @@ -156,12 +156,14 @@ To process the messages from an orphan disk-buffer file using a separate Example: output displaying newly created empty disk-buffer file and connection established to remote destination - >Follow-mode file source not found, deferring open; filename='/no_such_file_or.dir' - >Reliable disk-buffer state saved; filename='/tmp/qdisk/syslog-ng-00000.rqf', qdisk_length='0' - >No server license found, running in client mode; - >syslog-ng starting up; version='7.0.20', cfg-fingerprint='eaa03b9efb88b87d7c1b0ce7efd042ed8ac0c013', >cfg-nonce-ndx='0', cfg-signature='c0327a7f7e6418ce0399a75089377dfb662bb072' - >FIPS information; FIPS-mode='disabled' - >Syslog connection established; fd='7', server='AF_INET(10.21.10.20:514)', local='AF_INET(0.0.0.0:0)' + {% log %} + Follow-mode file source not found, deferring open; filename='/no_such_file_or.dir' + Reliable disk-buffer state saved; filename='/tmp/qdisk/syslog-ng-00000.rqf', qdisk_length='0' + No server license found, running in client mode; + syslog-ng starting up; version='7.0.20', cfg-fingerprint='eaa03b9efb88b87d7c1b0ce7efd042ed8ac0c013', >cfg-nonce-ndx='0', cfg-signature='c0327a7f7e6418ce0399a75089377dfb662bb072' + FIPS information; FIPS-mode='disabled' + Syslog connection established; fd='7', server='AF_INET(10.21.10.20:514)', local='AF_INET(0.0.0.0:0)' + {% endlog %} 7. To stop {{ site.product.short_name }}, press CTRL+C. diff --git a/doc/_admin-guide/100_TLS-encrypted_message_transfer/003_Password_protected_keys.md b/doc/_admin-guide/100_TLS-encrypted_message_transfer/003_Password_protected_keys.md index ff6357ad..41883bba 100644 --- a/doc/_admin-guide/100_TLS-encrypted_message_transfer/003_Password_protected_keys.md +++ b/doc/_admin-guide/100_TLS-encrypted_message_transfer/003_Password_protected_keys.md @@ -45,8 +45,10 @@ their status. For example: syslog-ng-ctl credentials status ``` ->Secret store status: ->/home/user/ssl_test/client-1/client-encrypted.key SUCCESS +{% log %} +Secret store status: +/home/user/ssl_test/client-1/client-encrypted.key SUCCESS +{% endlog %} If the status of a key is PENDING, you must provide the passphrase for the key, otherwise {{ site.product.short_name }} cannot use it. The sources and @@ -57,7 +59,9 @@ keys every time {{ site.product.short_name }} is restarted. The following log message also notifies you of PENDING passphrases: ->Waiting for password; keyfile='private.key' +{% log %} +Waiting for password; keyfile='private.key' +{% endlog %} You can add the passphrase to a password-protected private key file using the following command. {{ site.product.short_name }} will display a prompt for you diff --git a/doc/_admin-guide/110_Template_and_rewrite/000_Customize_message_format/007_Template_functions_of_syslog-ng.md b/doc/_admin-guide/110_Template_and_rewrite/000_Customize_message_format/007_Template_functions_of_syslog-ng.md index ff33f9c6..7e879f9d 100644 --- a/doc/_admin-guide/110_Template_and_rewrite/000_Customize_message_format/007_Template_functions_of_syslog-ng.md +++ b/doc/_admin-guide/110_Template_and_rewrite/000_Customize_message_format/007_Template_functions_of_syslog-ng.md @@ -201,9 +201,9 @@ format. Available in version 3.16 and later. The following is a sample log message in EWMM format. -><13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - ->{"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on ->/dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% log %} +<13>1 2018-05-13T13:27:50.993+00:00 my-host @syslog-ng - - - {"MESSAGE":"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for username on /dev/pts/8","HOST_FROM":"my-host","HOST":"my-host","FILE_NAME":"/tmp/in","._TAGS":".source.s_file"} +{% endlog %} ## $(format-flat-json) diff --git a/doc/_admin-guide/120_Parser/001_Apache_access_log_parser/README.md b/doc/_admin-guide/120_Parser/001_Apache_access_log_parser/README.md index 6cf23171..da16c871 100644 --- a/doc/_admin-guide/120_Parser/001_Apache_access_log_parser/README.md +++ b/doc/_admin-guide/120_Parser/001_Apache_access_log_parser/README.md @@ -13,13 +13,16 @@ description: >- The following is a sample log message: ->127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 +{% log %} +127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 +{% endlog %} Starting with version 3.21, virtualhost and the port of the virtualhost (vhost) is also supported, for example: ->foo.com:443 1.2.3.4 - - [15/Apr/2019:14:30:16 -0400] "GET /bar.html HTTP/2.0" ->500 - "https://foo.com/referer.html" "Mozilla/5.0 ..." +{% log %} +foo.com:443 1.2.3.4 - - [15/Apr/2019:14:30:16 -0400] "GET /bar.html HTTP/2.0" 500 - "https://foo.com/referer.html" "Mozilla/5.0 ..." +{% endlog %} The {{ site.product.short_name }} application extracts every field into name-value pairs, and adds the .apache. prefix to the name of the field. diff --git a/doc/_admin-guide/120_Parser/002_Checkpoint_parser.md b/doc/_admin-guide/120_Parser/002_Checkpoint_parser.md index fe94fe11..d23fc2b0 100644 --- a/doc/_admin-guide/120_Parser/002_Checkpoint_parser.md +++ b/doc/_admin-guide/120_Parser/002_Checkpoint_parser.md @@ -14,11 +14,15 @@ The parser can parse messages in the following formats: For example: -><134>1 2018-03-21 17:25:25 MDS-72 CheckPoint 13752 - [action:"Update"; flags:"150784"; ifdir:"inbound"; logid:"160571424"; loguid:"{0x5ab27965,0x0,0x5b20a8c0,0x7d5707b6}";] +{% log %} +<134>1 2018-03-21 17:25:25 MDS-72 CheckPoint 13752 - [action:"Update"; flags:"150784"; ifdir:"inbound"; logid:"160571424"; loguid:"{0x5ab27965,0x0,0x5b20a8c0,0x7d5707b6}";] +{% endlog %} Splunk format: ->time=1557767758|hostname=r80test|product=Firewall|layer_name=Network|layer_uuid=c0264a80-1832-4fce-8a90-d0849dc4ba33|match_id=1|parent_rule=0|rule_action=Accept|rule_uid=4420bdc0-19f3-4a3e-8954-03b742cd3aee|action=Accept|ifdir=inbound|ifname=eth0|logid=0|loguid={0x5cd9a64e,0x0,0x5060a8c0,0xc0000001}|origin=192.168.96.80|originsicname=cn\=cp_mgmt,o\=r80test..ymydp2|sequencenum=1|time=1557767758|version=5|dst=192.168.96.80|inzone=Internal|outzone=Local|proto=6|s_port=63945|service=443|service_id=https|src=192.168.96.27| +{% log %} +time=1557767758|hostname=r80test|product=Firewall|layer_name=Network|layer_uuid=c0264a80-1832-4fce-8a90-d0849dc4ba33|match_id=1|parent_rule=0|rule_action=Accept|rule_uid=4420bdc0-19f3-4a3e-8954-03b742cd3aee|action=Accept|ifdir=inbound|ifname=eth0|logid=0|loguid={0x5cd9a64e,0x0,0x5060a8c0,0xc0000001}|origin=192.168.96.80|originsicname=cn\=cp_mgmt,o\=r80test..ymydp2|sequencenum=1|time=1557767758|version=5|dst=192.168.96.80|inzone=Internal|outzone=Local|proto=6|s_port=63945|service=443|service_id=https|src=192.168.96.27| +{% endlog %} {% include doc/admin-guide/parser-support.md %} diff --git a/doc/_admin-guide/120_Parser/003_Cisco_parser.md b/doc/_admin-guide/120_Parser/003_Cisco_parser.md index f0302cd2..663a3fe6 100644 --- a/doc/_admin-guide/120_Parser/003_Cisco_parser.md +++ b/doc/_admin-guide/120_Parser/003_Cisco_parser.md @@ -15,11 +15,13 @@ message format: For example: -><189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console -><190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated -><190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated -><189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console -><189>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. +{% log %} +<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console +<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated +<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated +<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console +<189>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. +{% endlog %} **NOTE:** Not every Cisco log message conforms to this format. If you find a message that the cisco-parser() cannot properly parse, contact Support, so we can improve the parser. {: .notice--info} @@ -27,8 +29,10 @@ For example: The {{ site.product.short_name }} application normalizes the parsed log messages into the following format: ->${MESSAGE}=%FAC-SEV-MNEMONIC: message ->${HOST}=origin-id +{% log %} +${MESSAGE}=%FAC-SEV-MNEMONIC: message +${HOST}=origin-id +{% endlog %} By default, the Cisco-specific fields are extracted into the following name-value pairs:${.cisco.facility}, ${.cisco.severity}, diff --git a/doc/_admin-guide/120_Parser/004_CSV_parser/README.md b/doc/_admin-guide/120_Parser/004_CSV_parser/README.md index 92151297..53c7a74a 100644 --- a/doc/_admin-guide/120_Parser/004_CSV_parser/README.md +++ b/doc/_admin-guide/120_Parser/004_CSV_parser/README.md @@ -93,7 +93,9 @@ formatted like: Here is a sample message: ->192.168.1.1 - - [31/Dec/2007:00:17:10 +0100] "GET /cgi-bin/example.cgi HTTP/1.1" 200 2708 "-" "curl/7.15.5 (i4 >86-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 libidn/0.6.5" 2 example.mycompany +{% log %} +192.168.1.1 - - [31/Dec/2007:00:17:10 +0100] "GET /cgi-bin/example.cgi HTTP/1.1" 200 2708 "-" "curl/7.15.5 (i4 >86-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 libidn/0.6.5" 2 example.mycompany +{% endlog %} To parse such logs, the delimiter character is set to a single whitespace (delimiters(\" \")). Whitespaces between quotes and brackets diff --git a/doc/_admin-guide/120_Parser/006_db_parser/001_Using_pattern_databases/002_Correlating_log_messages.md b/doc/_admin-guide/120_Parser/006_db_parser/001_Using_pattern_databases/002_Correlating_log_messages.md index 12531617..d47552bc 100644 --- a/doc/_admin-guide/120_Parser/006_db_parser/001_Using_pattern_databases/002_Correlating_log_messages.md +++ b/doc/_admin-guide/120_Parser/006_db_parser/001_Using_pattern_databases/002_Correlating_log_messages.md @@ -69,8 +69,10 @@ Note the following points about timeout values: Consider the following two messages: - ><38>1990-01-01T14:45:25 customhostname program6[1234]: program6 testmessage\ - ><38>1990-01-01T14:46:25 customhostname program6[1234]: program6 testmessage + {% log %} + <38>1990-01-01T14:45:25 customhostname program6[1234]: program6 testmessage + <38>1990-01-01T14:46:25 customhostname program6[1234]: program6 testmessage + {% endlog %} If the context-timeout is 10 seconds and {{ site.product.short_name }} receives the messages within 1 second, the timeout event will occour immediately, diff --git a/doc/_admin-guide/120_Parser/006_db_parser/004_The_syslog-ng_patterndb_format/README.md b/doc/_admin-guide/120_Parser/006_db_parser/004_The_syslog-ng_patterndb_format/README.md index b97ab872..1f908fe7 100644 --- a/doc/_admin-guide/120_Parser/006_db_parser/004_The_syslog-ng_patterndb_format/README.md +++ b/doc/_admin-guide/120_Parser/006_db_parser/004_The_syslog-ng_patterndb_format/README.md @@ -24,7 +24,9 @@ The pdbtool manual page. The following pattern database contains a single rule that matches a log message of the ssh application. A sample log message looks like: ->Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2 +{% log %} +Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2 +{% endlog %} The following is a simple pattern database containing a matching rule. diff --git a/doc/_admin-guide/120_Parser/008_Fortigate_parser/README.md b/doc/_admin-guide/120_Parser/008_Fortigate_parser/README.md index f7065c42..bc7e0e84 100644 --- a/doc/_admin-guide/120_Parser/008_Fortigate_parser/README.md +++ b/doc/_admin-guide/120_Parser/008_Fortigate_parser/README.md @@ -15,7 +15,9 @@ The parser can parse messages in the following format: For example: -><189>date=2021-01-15 time=12:58:59 devname="FORTI_111" devid="FG100D3G12801312" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1610704739683510055 tz="+0300" srcip=91.234.154.139 srcname="91.234.154.139" srcport=45295 srcintf="wan1" srcintfrole="wan" dstip=213.59.243.9 dstname="213.59.243.9" dstport=46730 dstintf="unknown0" dstintfrole="undefined" sessionid=2364413215 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/46730" dstcountry="Russian Federation" srccountry="Russian Federation" trandisp="noop" app="udp/46730" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" +{% log %} +<189>date=2021-01-15 time=12:58:59 devname="FORTI_111" devid="FG100D3G12801312" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1610704739683510055 tz="+0300" srcip=91.234.154.139 srcname="91.234.154.139" srcport=45295 srcintf="wan1" srcintfrole="wan" dstip=213.59.243.9 dstname="213.59.243.9" dstport=46730 dstintf="unknown0" dstintfrole="undefined" sessionid=2364413215 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/46730" dstcountry="Russian Federation" srccountry="Russian Federation" trandisp="noop" app="udp/46730" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" +{% endlog %} {% include doc/admin-guide/parser-support.md %} diff --git a/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/000_kv_parser_options.md b/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/000_kv_parser_options.md index 7d61c899..43545a57 100644 --- a/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/000_kv_parser_options.md +++ b/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/000_kv_parser_options.md @@ -24,7 +24,9 @@ name-value pair storing the stray words. Default value:**N/A** For example, consider the following message: ->VSYS=public; Slot=5/1; protocol=17; source-ip=10.116.214.221; source-port=50989; destination-ip=172.16.236.16; >destination-port=162;time=2016/02/18 16:00:07; interzone-emtn_s1_vpn-enodeb_om; inbound; policy=370; +{% log %} +VSYS=public; Slot=5/1; protocol=17; source-ip=10.116.214.221; source-port=50989; destination-ip=172.16.236.16; >destination-port=162;time=2016/02/18 16:00:07; interzone-emtn_s1_vpn-enodeb_om; inbound; policy=370; +{% endlog %} This is a list of key-value pairs, where the value separator is **=** and the pair separator is **;**. However, before the last key-value pair diff --git a/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/README.md b/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/README.md index ca1f13ab..3ee8c885 100644 --- a/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/README.md +++ b/doc/_admin-guide/120_Parser/011_key-value_pairs_parser/README.md @@ -54,8 +54,9 @@ parser parser_name { In the following example, the source is a log message consisting of comma-separated key=value pairs, for example, a Postfix log message: ->Jun 20 12:05:12 mail.example.com postfix/qmgr[35789]: EC2AC1947DA: ->from=, size=807, nrcpt=1(queue active) +{% log %} +Jun 20 12:05:12 mail.example.com postfix/qmgr[35789]: EC2AC1947DA: from=, size=807, nrcpt=1(queue active) +{% endlog %} The kv-parser inserts the \".kv.\" prefix before all extracted name-value pairs. The destination is a file, that uses the format-json @@ -108,7 +109,9 @@ log { You can set the separator character between the key and the value to parse for example, key:value pairs, like MySQL logs: ->Mar 7 12:39:25 myhost MysqlClient[20824]: SYSTEM_USER:'oscar', MYSQL_USER:'my_oscar', CONNECTION_ID:23, >DB_SERVER:'127.0.0.1', DB:'--', QUERY:'USE test;' +{% log %} +Mar 7 12:39:25 myhost MysqlClient[20824]: SYSTEM_USER:'oscar', MYSQL_USER:'my_oscar', CONNECTION_ID:23, >DB_SERVER:'127.0.0.1', DB:'--', QUERY:'USE test;' +{% endlog %} ```config parser p_mysql { diff --git a/doc/_admin-guide/120_Parser/012_Linux_audit_parser/README.md b/doc/_admin-guide/120_Parser/012_Linux_audit_parser/README.md index 7eeb603e..2973ced0 100644 --- a/doc/_admin-guide/120_Parser/012_Linux_audit_parser/README.md +++ b/doc/_admin-guide/120_Parser/012_Linux_audit_parser/README.md @@ -10,12 +10,14 @@ description: >- The following is a sample log message of auditd: ->type=SYSCALL msg=audit(1441988805.991:239): arch=c000003e syscall=59 success=yes exit=0 a0=7fe49a6d0e98 a1=7fe49a6d0e40 a2=7fe49a6d0e80 a3=2 items=2 ppid=3652 pid=3660 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="dumpe2fs" exe="/sbin/dumpe2fs" key=(null) ->type=EXECVE msg=audit(1441988805.991:239): argc=3 a0="dumpe2fs" a1="-h" a2="/dev/sda1" ->type=CWD msg=audit(1441988805.991:239): cwd="/" ->type=PATH msg=audit(1441988805.991:239): item=0 name="/sbin/dumpe2fs" inode=137078 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ->type=PATH msg=audit(1441988805.991:239): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5243184 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ->type=PROCTITLE msg=audit(1441988805.991:239): proctitle=64756D7065326673002D68002F6465762F73646131 +{% log %} +type=SYSCALL msg=audit(1441988805.991:239): arch=c000003e syscall=59 success=yes exit=0 a0=7fe49a6d0e98 a1=7fe49a6d0e40 a2=7fe49a6d0e80 a3=2 items=2 ppid=3652 pid=3660 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="dumpe2fs" exe="/sbin/dumpe2fs" key=(null) +type=EXECVE msg=audit(1441988805.991:239): argc=3 a0="dumpe2fs" a1="-h" a2="/dev/sda1" +type=CWD msg=audit(1441988805.991:239): cwd="/" +type=PATH msg=audit(1441988805.991:239): item=0 name="/sbin/dumpe2fs" inode=137078 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL +type=PATH msg=audit(1441988805.991:239): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5243184 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL +type=PROCTITLE msg=audit(1441988805.991:239): proctitle=64756D7065326673002D68002F6465762F73646131 +{% endlog %} Certain fields of the audit log can be encoded in hexadecimal format, for example, the arch field, or the a\ fields in the previous diff --git a/doc/_admin-guide/120_Parser/015_netskope_parser.md b/doc/_admin-guide/120_Parser/015_netskope_parser.md index fca7da1d..663adcdb 100644 --- a/doc/_admin-guide/120_Parser/015_netskope_parser.md +++ b/doc/_admin-guide/120_Parser/015_netskope_parser.md @@ -14,7 +14,9 @@ The parser can parse messages in the following format: For example: -><134>{"count": 1, "supporting_data": {"data_values": ["x.x.x.x", "user@domain.com"], "data_type": "user"}, "organization_unit": "domain/domain/Domain Users/Enterprise Users", "severity_level": 2, "category": null, "timestamp": 1547421943, "_insertion_epoch_timestamp": 1547421943, "ccl": "unknown", "user": "user@domain.com", "audit_log_event": "Login Successful", "ur_normalized": "user@domain.com", "_id": "936289", "type": "admin_audit_logs", "appcategory": null} +{% log %} +<134>{"count": 1, "supporting_data": {"data_values": ["x.x.x.x", "user@domain.com"], "data_type": "user"}, "organization_unit": "domain/domain/Domain Users/Enterprise Users", "severity_level": 2, "category": null, "timestamp": 1547421943, "_insertion_epoch_timestamp": 1547421943, "ccl": "unknown", "user": "user@domain.com", "audit_log_event": "Login Successful", "ur_normalized": "user@domain.com", "_id": "936289", "type": "admin_audit_logs", "appcategory": null} +{% endlog %} {% include doc/admin-guide/parser-support.md %} diff --git a/doc/_admin-guide/120_Parser/015_panos_parser/001_Message_format.md b/doc/_admin-guide/120_Parser/015_panos_parser/001_Message_format.md index 8e4752ac..9d2d334e 100644 --- a/doc/_admin-guide/120_Parser/015_panos_parser/001_Message_format.md +++ b/doc/_admin-guide/120_Parser/015_panos_parser/001_Message_format.md @@ -21,4 +21,6 @@ For example, the most commonly used SYSTEM type has the following message format on the {{ site.product.short_name }} side after parsing: -><12>Apr 14 16:48:54 paloalto.test.net 1,2020/04/14 16:48:54,unknown,SYSTEM,auth,0,2020/04/14 16:48:54,,auth-fail,,0,0,general,medium,failed authentication for user 'admin'. Reason: Invalid username/password. From: 10.0.10.55.,1718,0x0,0,0,0,0,,paloalto +{% log %} +<12>Apr 14 16:48:54 paloalto.test.net 1,2020/04/14 16:48:54,unknown,SYSTEM,auth,0,2020/04/14 16:48:54,,auth-fail,,0,0,general,medium,failed authentication for user 'admin'. Reason: Invalid username/password. From: 10.0.10.55.,1718,0x0,0,0,0,0,,paloalto +{% endlog %} diff --git a/doc/_admin-guide/120_Parser/018_Python_parser.md b/doc/_admin-guide/120_Parser/018_Python_parser.md index e6c8f5a3..faca9254 100644 --- a/doc/_admin-guide/120_Parser/018_Python_parser.md +++ b/doc/_admin-guide/120_Parser/018_Python_parser.md @@ -111,11 +111,13 @@ False, or raises an exception, {{ site.product.short_name }} will drop the messa ## Example: Parse loggen logs The following sample code parses the messages of the loggen tool (for -details, see The loggen manual page. +details, see The loggen manual page. + The following is a sample loggen message: -><38>2017-04-05T12:16:46 localhost prg00000[1234]: seq: 0000000000, thread: 0000, ->runid: 1491387406, stamp: 2017-04-05T12:16:46 >PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD +{% log %} +<38>2017-04-05T12:16:46 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1491387406, stamp: 2017-04-05T12:16:46 >PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD +{% endlog %} The {{ site.product.short_name }} parser object references the LoggenParser class and passes a set of regular expressions to parse the loggen messages. The diff --git a/doc/_admin-guide/120_Parser/019_regexp_parser/README.md b/doc/_admin-guide/120_Parser/019_regexp_parser/README.md index 637c5547..3de7e7d3 100644 --- a/doc/_admin-guide/120_Parser/019_regexp_parser/README.md +++ b/doc/_admin-guide/120_Parser/019_regexp_parser/README.md @@ -34,7 +34,9 @@ parser p_regexp { In the following example, the incoming log message is the following: ->Apr 20 11:09:46 test_field -> test_value +{% log %} +Apr 20 11:09:46 test_field -> test_value +{% endlog %} The regexp-parser inserts the .regexp. prefix before all extracted name-value pairs. The destination is a file, that uses the format-json diff --git a/doc/_admin-guide/120_Parser/022_XML_parser/README.md b/doc/_admin-guide/120_Parser/022_XML_parser/README.md index 41f9d196..f606a1bc 100644 --- a/doc/_admin-guide/120_Parser/022_XML_parser/README.md +++ b/doc/_admin-guide/120_Parser/022_XML_parser/README.md @@ -98,16 +98,22 @@ For example, from this input XML: The following output is generated: -> .xml.tag.tag1 = text1text2 +{% log %} + .xml.tag.tag1 = text1text2 +{% endlog %} Whitespaces are kept as they are in the XML input. No collapsing happens on significant whitespaces. For example, from this input XML: -><133>Feb 25 14:09:07 webserver syslogd: |Test\n\n Test2|\n +{% log %} +<133>Feb 25 14:09:07 webserver syslogd: |Test\n\n Test2|\n +{% endlog %} The following output is generated: ->[2017-09-04T13:20:27.417266] Setting value; msg='0x7f2fd8002df0', name='.xml.b', value='|Test\x0a\x0a Test2|' +{% log %} +[2017-09-04T13:20:27.417266] Setting value; msg='0x7f2fd8002df0', name='.xml.b', value='|Test\x0a\x0a Test2|' +{% endlog %} However, note that users can choose to strip whitespaces using the Options of the XML parsers option. @@ -137,7 +143,9 @@ any of the following options: For example: - >59 <133>Feb 25 14:09:07 webserver syslogd: \nText\n + {% log %} + 59 <133>Feb 25 14:09:07 webserver syslogd: \nText\n + {% endlog %} Considering the new lines as one character, 59 is appended to the original message. diff --git a/doc/_admin-guide/120_Parser/023_websense_parser.md b/doc/_admin-guide/120_Parser/023_websense_parser.md index 14dad99b..99578484 100644 --- a/doc/_admin-guide/120_Parser/023_websense_parser.md +++ b/doc/_admin-guide/120_Parser/023_websense_parser.md @@ -15,7 +15,9 @@ The parser can parse messages in the following format: For example: -><159>Dec 19 10:48:57 EST 192.168.1.1 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=192.168.2.1 src_port=62189 dst_host=example.com dst_ip=192.168.3.1 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://example.com +{% log %} +<159>Dec 19 10:48:57 EST 192.168.1.1 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=192.168.2.1 src_port=62189 dst_host=example.com dst_ip=192.168.3.1 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://example.com +{% endlog %} {% include doc/admin-guide/parser-support.md %} diff --git a/doc/_admin-guide/130_Correlating_log_messages/000_Correlating_messages_with_grouping-by.md b/doc/_admin-guide/130_Correlating_log_messages/000_Correlating_messages_with_grouping-by.md index f24bb93f..d5d7b68a 100644 --- a/doc/_admin-guide/130_Correlating_log_messages/000_Correlating_messages_with_grouping-by.md +++ b/doc/_admin-guide/130_Correlating_log_messages/000_Correlating_messages_with_grouping-by.md @@ -92,8 +92,10 @@ Note the following points about timeout values: Consider the following two messages: - ><38>1990-01-01T14:45:25 customhostname program6[1234]: program6 testmessage - ><38>1990-01-01T14:46:25 customhostname program6[1234]: program6 testmessage + {% log %} + <38>1990-01-01T14:45:25 customhostname program6[1234]: program6 testmessage + <38>1990-01-01T14:46:25 customhostname program6[1234]: program6 testmessage + {% endlog %} If the context-timeout is 10 seconds and {{ site.product.short_name }} receives the messages within 1 second, the timeout event will occour immediately, @@ -114,12 +116,14 @@ in time, but multiple events can be logged at around the same time, which get mixed up in the output. The example below is the audit log for running ntpdate: ->type=SYSCALL msg=audit(1440927434.124:40347): arch=c000003e syscall=59 success=yes exit=0 a0=7f121cef0b88 a1=7f121cef0c00 a2=7f121e690d98 a3=2 items=2 ppid=4312 pid=4347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpdate" exe="/usr/sbin/ntpdate" key=(null) ->type=EXECVE msg=audit(1440927434.124:40347): argc=3 a0="/usr/sbin/ntpdate" a1="-s" a2="ntp.ubuntu.com" ->type=CWD msg=audit(1440927434.124:40347): cwd="/" ->type=PATH msg=audit(1440927434.124:40347): item=0 name="/usr/sbin/ntpdate" inode=2006003 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ->type=PATH msg=audit(1440927434.124:40347): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5243184 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ->type=PROCTITLE msg=audit(1440927434.124:40347): proctitle=2F62696E2F7368002F7573722F7362696E2F6E7470646174652D64656269616E002D73 +{% log %} +type=SYSCALL msg=audit(1440927434.124:40347): arch=c000003e syscall=59 success=yes exit=0 a0=7f121cef0b88 a1=7f121cef0c00 a2=7f121e690d98 a3=2 items=2 ppid=4312 pid=4347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpdate" exe="/usr/sbin/ntpdate" key=(null) +type=EXECVE msg=audit(1440927434.124:40347): argc=3 a0="/usr/sbin/ntpdate" a1="-s" a2="ntp.ubuntu.com" +type=CWD msg=audit(1440927434.124:40347): cwd="/" +type=PATH msg=audit(1440927434.124:40347): item=0 name="/usr/sbin/ntpdate" inode=2006003 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL +type=PATH msg=audit(1440927434.124:40347): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5243184 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL +type=PROCTITLE msg=audit(1440927434.124:40347): proctitle=2F62696E2F7368002F7573722F7362696E2F6E7470646174652D64656269616E002D73 +{% endlog %} These lines are connected by their second field: `msg=audit(1440927434.124:40347)`. You can parse such messages using the diff --git a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/000_Using_filters_as_selector.md b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/000_Using_filters_as_selector.md index 4b73a51a..5ab497a3 100644 --- a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/000_Using_filters_as_selector.md +++ b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/000_Using_filters_as_selector.md @@ -13,11 +13,11 @@ description: >- For example, the database file can contain the entries. (For details on the accepted CSV-format, see database()) -```text +{% log %} f_auth,domain,all f_localhost,source,localhost f_kern,domain,kernel -``` +{% endlog %} Note that {{ site.product.short_name }} does not evaluate other filters after the first match. For example, if you use the previous database file, and a message @@ -27,11 +27,11 @@ only the name-value pair of f_auth to the message. To add multiple name-value pairs to a message, include a separate line in the database for each name-value pair, for example: -```text +{% log %} f_localhost,host-role,firewall f_localhost,contact-person,"John Doe" f_localhost,contact-email,johndoe@example.com -``` +{% endlog %} You can also add data to messages that do not have a matching selector entry in the database using the default-selector() option. diff --git a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/001_Shell_style_globbing.md b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/001_Shell_style_globbing.md index a51f6dde..50b1406f 100644 --- a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/001_Shell_style_globbing.md +++ b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/001_Shell_style_globbing.md @@ -23,11 +23,11 @@ To use globs in a selector 2. Use globs and wildcards in the selector column of your CSV-file, for example: - ```text + {% log %} example-glob-entry1*,sourcetype,:hec:user example-glob-entry2*,sourcetype,:hec:user postfix*,sourcetype,:hec:mta - ``` + {% endlog %} Note the following points when using globbing in the selector: @@ -44,7 +44,9 @@ Note the following points when using globbing in the selector: - In debug mode, {{ site.product.short_name }} sends log messages to its internal() destination to help troubleshooting. For example: - >[2019-09-21T06:01:10.748237] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='example-glob-entry1*', matched='0' - >[2019-09-21T06:01:10.748562] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='example-glob-entry2*', matched='0' - >[2019-09-21T06:01:10.748697] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='postfix*', matched='1' - >[2019-09-21T06:01:10.750084] add-contextual-data(): message lookup finished; message='almafa', resolved_selector='postfix*', selector='postfix*', msg='0x8e15320' + {% log %} + [2019-09-21T06:01:10.748237] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='example-glob-entry1*', matched='0' + [2019-09-21T06:01:10.748562] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='example-glob-entry2*', matched='0' + [2019-09-21T06:01:10.748697] add-contextual-data(): Evaluating glob against message; glob-template='${PROGRAM}', string='postfix/smtpd', pattern='postfix*', matched='1' + [2019-09-21T06:01:10.750084] add-contextual-data(): message lookup finished; message='almafa', resolved_selector='postfix*', selector='postfix*', msg='0x8e15320' + {% endlog %} diff --git a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/002_add-contextual-data_options.md b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/002_add-contextual-data_options.md index 6866bc3a..b10c04c1 100644 --- a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/002_add-contextual-data_options.md +++ b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/002_add-contextual-data_options.md @@ -32,9 +32,9 @@ then you can include a line for unknown hosts in the database, and set default-selector() to the ID of the line for unknown hosts. In the CSV file: -```text +{% log %} unknown-hostname,host-role,unknown -``` +{% endlog %} In the {{ site.product.short_name }} configuration file: diff --git a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/README.md b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/README.md index 1a169193..ba7fae74 100644 --- a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/README.md +++ b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/README.md @@ -30,11 +30,11 @@ format, where each line contains the following information: For example, the following csv-file contains three lines identified with the IP address, and adds the host-role field to the log message. -```text +{% log %} 192.168.1.1,host-role,webserver 192.168.2.1,host-role,firewall 192.168.3.1,host-role,mailserver -``` +{% endlog %} ## The database file @@ -46,11 +46,11 @@ with the following exceptions and limitations: To add multiple name-value pairs to a message, include a separate line in the database for each name-value pair, for example: -```text +{% log %} 192.168.1.1,host-role,webserver 192.168.1.1,contact-person,"John Doe" 192.168.1.1,contact-email,johndoe@example.com -``` +{% endlog %} Technically, add-contextual-data() is a parser in {{ site.product.short_name }} so you have to define it as a parser object. @@ -103,9 +103,9 @@ log { }; ``` -```text +{% log %} 192.168.1.1,host-role,webserver 192.168.2.1,host-role,firewall 192.168.3.1,host-role,mailserver unknown,host-role,unknown -``` +{% endlog %} diff --git a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/001_Looking_up_geoip2_data/001_Using_the_geoip2_parser.md b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/001_Looking_up_geoip2_data/001_Using_the_geoip2_parser.md index bbc34cdb..6ea9b526 100644 --- a/doc/_admin-guide/140_Enriching_log_messages_with_external_data/001_Looking_up_geoip2_data/001_Using_the_geoip2_parser.md +++ b/doc/_admin-guide/140_Enriching_log_messages_with_external_data/001_Looking_up_geoip2_data/001_Using_the_geoip2_parser.md @@ -61,4 +61,6 @@ log { For example, for the \<38\>2017-05-24T13:09:46 192.168.1.1 prg00000\[1234\]: test message message the output will look like: -><38>1 2017-05-24T13:09:46+02:00 192.168.1.1 prg00000 1234 - [meta sequenceId="3"] {"geoip2":{"subdivisions":{"0":{"names":{"en":"Budapest"},"iso_code":"BU","geoname_id":"3054638"}},"registered_country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"postal":{"code":"1063"},"location":{"time_zone":"Europe/Budapest","longitude":"19.070200","latitude":"47.510200","accuracy_radius":"5"},"country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"continent":{"names":{"en":"Europe"},"geoname_id":"6255148","code":"EU"},"city":{"names":{"en":"Budapest"},"geoname_id":"3054643"}},"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"test message","HOST":"192.168.1.1","FACILITY":"auth","DATE":"May 24 13:09:46"} +{% log %} +<38>1 2017-05-24T13:09:46+02:00 192.168.1.1 prg00000 1234 - [meta sequenceId="3"] {"geoip2":{"subdivisions":{"0":{"names":{"en":"Budapest"},"iso_code":"BU","geoname_id":"3054638"}},"registered_country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"postal":{"code":"1063"},"location":{"time_zone":"Europe/Budapest","longitude":"19.070200","latitude":"47.510200","accuracy_radius":"5"},"country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"continent":{"names":{"en":"Europe"},"geoname_id":"6255148","code":"EU"},"city":{"names":{"en":"Budapest"},"geoname_id":"3054643"}},"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"test message","HOST":"192.168.1.1","FACILITY":"auth","DATE":"May 24 13:09:46"} +{% endlog %} diff --git a/doc/_admin-guide/150_Statistics_of_syslog-ng/000_Metrics_and_counters.md b/doc/_admin-guide/150_Statistics_of_syslog-ng/000_Metrics_and_counters.md index 1d259b5d..f2f1b899 100644 --- a/doc/_admin-guide/150_Statistics_of_syslog-ng/000_Metrics_and_counters.md +++ b/doc/_admin-guide/150_Statistics_of_syslog-ng/000_Metrics_and_counters.md @@ -46,18 +46,20 @@ The displayed metrics have the following structure. The following example contains 6 different dynamic values: a sender, a host, and four different programs. - >src.sender;;localhost;d;processed;4 - >src.sender;;localhost;d;stamp;1509121934 - >src.program;;P-18069;d;processed;1 - >src.program;;P-18069;d;stamp;1509121933 - >src.program;;P-21491;d;processed;1 - >src.program;;P-21491;d;stamp;1509121934 - >src.program;;P-9774;d;processed;1 - >src.program;;P-9774;d;stamp;1509121919 - >src.program;;P-14737;d;processed;1 - >src.program;;P-14737;d;stamp;1509121931 - >src.host;;localhost;d;processed;4 - >src.host;;localhost;d;stamp;1509121934 + {% log %} + src.sender;;localhost;d;processed;4 + src.sender;;localhost;d;stamp;1509121934 + src.program;;P-18069;d;processed;1 + src.program;;P-18069;d;stamp;1509121933 + src.program;;P-21491;d;processed;1 + src.program;;P-21491;d;stamp;1509121934 + src.program;;P-9774;d;processed;1 + src.program;;P-9774;d;stamp;1509121919 + src.program;;P-14737;d;processed;1 + src.program;;P-14737;d;stamp;1509121931 + src.host;;localhost;d;processed;4 + src.host;;localhost;d;stamp;1509121934 + {% endlog %} To avoid performance issues or even overloading {{ site.product.short_name }}, you might want to limit the number of registered dynamic @@ -93,9 +95,11 @@ The displayed metrics have the following structure. Statistics output: - >src.tcp;s_network#0;tcp,127.0.0.5;a;processed;1 - >src.tcp;s_network#0;tcp,127.0.0.1;a;processed;3 - >src.tcp;s_network;afsocket_sd.(stream,AF_INET(0.0.0.0:8001));a;connections;2 + {% log %} + src.tcp;s_network#0;tcp,127.0.0.5;a;processed;1 + src.tcp;s_network#0;tcp,127.0.0.1;a;processed;3 + src.tcp;s_network;afsocket_sd.(stream,AF_INET(0.0.0.0:8001));a;connections;2 + {% endlog %} 6. The type of the statistics: diff --git a/doc/_admin-guide/150_Statistics_of_syslog-ng/001_Log_statistic_from_internal_source.md b/doc/_admin-guide/150_Statistics_of_syslog-ng/001_Log_statistic_from_internal_source.md index c1d911af..f5f694c5 100644 --- a/doc/_admin-guide/150_Statistics_of_syslog-ng/001_Log_statistic_from_internal_source.md +++ b/doc/_admin-guide/150_Statistics_of_syslog-ng/001_Log_statistic_from_internal_source.md @@ -18,12 +18,14 @@ that has a single source (s_local) and a network and a local file destination (d_network and d_local, respectively). All incoming messages are sent to both destinations. ->Log statistics; ->dropped='tcp(AF_INET(192.168.10.1:514))=6439', ->processed='center(received)=234413', ->processed='destination(d_tcp)=234413', ->processed='destination(d_local)=234413', ->processed='source(s_local)=234413' +{% log %} +Log statistics; +dropped='tcp(AF_INET(192.168.10.1:514))=6439', +processed='center(received)=234413', +processed='destination(d_tcp)=234413', +processed='destination(d_local)=234413', +processed='source(s_local)=234413' +{% endlog %} The statistics include a list of source groups and destinations, as well as the number of processed messages for each. You can control the @@ -31,33 +33,35 @@ verbosity of the statistics using the level parameter of stats() global option. The following is an example output. ->src.internal;s_all#0;;a;processed;6445 ->src.internal;s_all#0;;a;stamp;1268989330 ->destination;df_auth;;a;processed;404 ->destination;df_news_dot_notice;;a;processed;0 ->destination;df_news_dot_err;;a;processed;0 ->destination;d_ssb;;a;processed;7128 ->destination;df_uucp;;a;processed;0 ->source;s_all;;a;processed;7128 ->destination;df_mail;;a;processed;0 ->destination;df_user;;a;processed;1 ->destination;df_daemon;;a;processed;1 ->destination;df_debug;;a;processed;15 ->destination;df_messages;;a;processed;54 ->destination;dp_xconsole;;a;processed;671 ->dst.tcp;d_network#0;10.50.0.111:514;a;dropped;5080 ->dst.tcp;d_network#0;10.50.0.111:514;a;processed;7128 ->dst.tcp;d_network#0;10.50.0.111:514;a;queued;2048 ->destination;df_syslog;;a;processed;6724 ->destination;df_facility_dot_warn;;a;processed;0 ->destination;df_news_dot_crit;;a;processed;0 ->destination;df_lpr;;a;processed;0 ->destination;du_all;;a;processed;0 ->destination;df_facility_dot_info;;a;processed;0 ->center;;received;a;processed;0 ->destination;df_kern;;a;processed;70 ->center;;queued;a;processed;0 ->destination;df_facility_dot_err;;a;processed;0 +{% log %} +src.internal;s_all#0;;a;processed;6445 +src.internal;s_all#0;;a;stamp;1268989330 +destination;df_auth;;a;processed;404 +destination;df_news_dot_notice;;a;processed;0 +destination;df_news_dot_err;;a;processed;0 +destination;d_ssb;;a;processed;7128 +destination;df_uucp;;a;processed;0 +source;s_all;;a;processed;7128 +destination;df_mail;;a;processed;0 +destination;df_user;;a;processed;1 +destination;df_daemon;;a;processed;1 +destination;df_debug;;a;processed;15 +destination;df_messages;;a;processed;54 +destination;dp_xconsole;;a;processed;671 +dst.tcp;d_network#0;10.50.0.111:514;a;dropped;5080 +dst.tcp;d_network#0;10.50.0.111:514;a;processed;7128 +dst.tcp;d_network#0;10.50.0.111:514;a;queued;2048 +destination;df_syslog;;a;processed;6724 +destination;df_facility_dot_warn;;a;processed;0 +destination;df_news_dot_crit;;a;processed;0 +destination;df_lpr;;a;processed;0 +destination;du_all;;a;processed;0 +destination;df_facility_dot_info;;a;processed;0 +center;;received;a;processed;0 +destination;df_kern;;a;processed;70 +center;;queued;a;processed;0 +destination;df_facility_dot_err;;a;processed;0 +{% endlog %} The statistics are semicolon separated: every line contains statistics for a particular object (for example, source, destination, tag, and so diff --git a/doc/_admin-guide/180_Troubleshooting_syslog-ng/003_Running_a_failure_script.md b/doc/_admin-guide/180_Troubleshooting_syslog-ng/003_Running_a_failure_script.md index 57838deb..c7ac32c4 100644 --- a/doc/_admin-guide/180_Troubleshooting_syslog-ng/003_Running_a_failure_script.md +++ b/doc/_admin-guide/180_Troubleshooting_syslog-ng/003_Running_a_failure_script.md @@ -52,7 +52,7 @@ To create a sample failure script, complete the following steps. that the relevant information is written into the /tmp/test.txt file, for example: - ```text + {% log %} Thu May 18 12:08:58 UTC 2017 Name............syslog-ng Chroot dir......NULL @@ -63,14 +63,16 @@ To create a sample failure script, complete the following steps. Reason..........signalled Argbuf..........9 Restarting......not-restarting - ``` + {% endlog %} 4. You should also see messages similar to the following in system syslog. The exact message depends on the signal (or the reason why {{ site.product.short_name }} stopped): - >May 18 13:56:09 myhost supervise/syslog-ng[10820]: Daemon exited gracefully, not restarting; exitcode='0' - >May 18 13:57:01 myhost supervise/syslog-ng[10996]: Daemon exited due to a deadlock/signal/failure, restarting; exitcode='131' - >May 18 13:57:37 myhost supervise/syslog-ng[11480]: Daemon was killed, not restarting; exitcode='9' + {% log %} + May 18 13:56:09 myhost supervise/syslog-ng[10820]: Daemon exited gracefully, not restarting; exitcode='0' + May 18 13:57:01 myhost supervise/syslog-ng[10996]: Daemon exited due to a deadlock/signal/failure, restarting; exitcode='131' + May 18 13:57:37 myhost supervise/syslog-ng[11480]: Daemon was killed, not restarting; exitcode='9' + {% endlog %} The failure script should run on every non-zero exit event. diff --git a/doc/_admin-guide/180_Troubleshooting_syslog-ng/010_SELinux.md b/doc/_admin-guide/180_Troubleshooting_syslog-ng/010_SELinux.md index 9a462a92..88563aff 100644 --- a/doc/_admin-guide/180_Troubleshooting_syslog-ng/010_SELinux.md +++ b/doc/_admin-guide/180_Troubleshooting_syslog-ng/010_SELinux.md @@ -10,8 +10,10 @@ If you are using a recent enough PCRE library, {{ site.product.short_name }} wil automatically use the JIT of the regexp engine, which will result in a similar error: ->setroubleshoot [21631 ] : SELinux is preventing from using the execmem access on a process. (...) ->python [21631 ] : SELinux is preventing from using the execmem access on a process. +{% log %} +setroubleshoot [21631 ] : SELinux is preventing from using the execmem access on a process. (...) +python [21631 ] : SELinux is preventing from using the execmem access on a process. +{% endlog %} To resolve this issue, switch off the PCRE JIT compile function by using the `disable-jit` diff --git a/doc/_admin-guide/190_The_syslog-ng_manual_pages/007_syslog-ng_control_tool_manual.md b/doc/_admin-guide/190_The_syslog-ng_manual_pages/007_syslog-ng_control_tool_manual.md index aa95b61a..868842b6 100644 --- a/doc/_admin-guide/190_The_syslog-ng_manual_pages/007_syslog-ng_control_tool_manual.md +++ b/doc/_admin-guide/190_The_syslog-ng_manual_pages/007_syslog-ng_control_tool_manual.md @@ -112,7 +112,7 @@ that {{ site.product.short_name }} collects about the processed messages. An example output: -```text +{% log %} center.received.stats.processed center.queued.stats.processed destination.d_elastic.stats.processed @@ -154,7 +154,7 @@ global.payload_reallocs.stats.processed global.msg_clones.stats.processed global.sdata_updates.stats.processed tag..source.s_tcp.stats.processed -``` +{% endlog %} The syslog-ng-ctl query list command has the following options: @@ -172,9 +172,9 @@ the query, and their values. For example, the destination query lists the configured destinations, and the metrics related to each destination. An example output: -```text +{% log %} destination.d_elastic.stats.processed=0 -``` +{% endlog %} The syslog-ng-ctl query get command has the following options: @@ -212,11 +212,11 @@ The stats command has the following options: This is useful, for example, when a templated file destination produces a lot of stats: - ```text + {% log %} dst.file;#anon-destination0#0;/tmp/2021-08-16.log;o;processed;253592 dst.file;#anon-destination0#0;/tmp/2021-08-17.log;o;processed;156 dst.file;#anon-destination0#0;/tmp/2021-08-18.log;a;processed;961 - ``` + {% endlog %} **NOTE:** The stats(lifetime()) can be used to do the same automatically and periodically, but currently stats(lifetime()) @@ -231,7 +231,7 @@ syslog-ng-ctl stats An example output: -```text +{% log %} src.internal;s_all#0;;a;processed;6445 src.internal;s_all#0;;a;stamp;1268989330 destination;df_auth;;a;processed;404 @@ -259,7 +259,7 @@ center;;received;a;processed;0 destination;df_kern;;a;processed;70 center;;queued;a;processed;0 destination;df_facility_dot_err;;a;processed;0 -``` +{% endlog %} ## HANDLING PASSWORD-PROTECTED PRIVATE KEYS @@ -285,8 +285,10 @@ their status. For example: syslog-ng-ctl credentials status ``` ->Secret store status: ->/home/user/ssl_test/client-1/client-encrypted.key SUCCESS +{% log %} +Secret store status: +/home/user/ssl_test/client-1/client-encrypted.key SUCCESS +{% endlog %} If the status of a key is PENDING, you must provide the passphrase for the key, otherwise {{ site.product.short_name }} cannot use it. The sources and @@ -297,7 +299,9 @@ keys every time {{ site.product.short_name }} is restarted. The following log message also notifies you of PENDING passphrases: ->Waiting for password; keyfile='private.key' +{% log %} +Waiting for password; keyfile='private.key' +{% endlog %} `--control=` or `-c` Specify the socket to use to access {{ site.product.short_name }}. Only needed when diff --git a/doc/_admin-guide/190_The_syslog-ng_manual_pages/012_secure_logging_manual.md b/doc/_admin-guide/190_The_syslog-ng_manual_pages/012_secure_logging_manual.md index 3990f2ac..4cf0dcf8 100644 --- a/doc/_admin-guide/190_The_syslog-ng_manual_pages/012_secure_logging_manual.md +++ b/doc/_admin-guide/190_The_syslog-ng_manual_pages/012_secure_logging_manual.md @@ -31,11 +31,11 @@ To optimize log verification and analysis, a sequence number is added to each lo The follwoing is an example of three short original log messages that are sent to a destination with secure logging enabled: -```text +{% log %} This is a log message And here comes another log message This is a log message with a longer text that is processed without any problems -``` +{% endlog %} To identify the status of the secure logging environment, check the sequence counter by querying the key file with the `slogkey` utility: @@ -48,19 +48,19 @@ The numbering of log messages starts at zero, due to this, the counter is set to The output of the secure logging template for the three example messages is shown below. The sequence number that was prepended to each message can be observed. The colon indicates the end of the sequence number and the start of the original message. As three message were processed, the sequence counter of the key is also three. -```text +{% log %} AAAAAAAAAAA=:k3/dYpLsgO2tUJKSauo6dycIBzW6OTC3pyA9TP+7AnqFgEojBzgC2rcK4OPfRtr8yg== AQAAAAAAAAA=:smw0ATISVgN+BYEu5d7OLBE7aQhHpK9Ro4MndmNgSVrqhcmRCBCj6DUnD6ku0Z29CKJ0N6LAJUgByX4Ev+g= AgAAAAAAAAA=:5UVybnKL1EAbgC4CLfd8HpgurjREf4LEN61/yWHSD2hbXjRD4QmQdtbwguT1chzdItKSQASps9QRIvR5Jd4AHzHfqxI4aRgdUBcNbAq26nwUCg5vPWygjmbtQaxZgCJYkry8slxCigmbTVs= -``` +{% endlog %} The following is the output of a successful verification run: -```text +{% log %} 0000000000000000: This is a log message 0000000000000001: And here comes another log message 0000000000000002: This is a log message with a longer text that is processed without any problems -``` +{% endlog %} The original log messages have been successfully restored, and the sequence counters are also assigned to the clear text messages. This helps in analyzing problems within a particular log entry. As real log files will contain thousands of entries. The sequence counter helps to identify faulty entries.