Hi, first things first: good news! :)
On to the meat... > I've been working on a project known as "Sagan" for some time. > Basically, Sagan uses a 'Snort like' (IDS/IPS) rule set and can detect > when "back things" are happening and correlate that information with > your > IDS/IPS Snort back end. For more information about Sagan, please see: > > http://sagan.softwink.com > > When I started writing Sagan, it was syslog-ng centric. > However, > considering the amount of rsyslog users, I decided to take a shot at > making Sagan work with rsyslog. T'was a breeze, and over all, I'm > dang impressed with rsyslog's functionality. > > Sagan 'read' a named pipe (FIFO) for events, then uses it's rule > set to 'parse' these events for 'bad things' happening (attacks, system > problems, etc). In the syslog-ng world, my template for Sagan is: > > --<snip>------------------------------------- > > destination sagan { > pipe("/var/run/sagan.fifo" > template("$SOURCEIP|$FACILITY|$PRIORITY|$LEVEL|$TAG|$YEAR-$MONTH- > $DAY|$HOUR:$MIN:$SEC|$PROGRAM|$MSG\n") template-escape(no)); }; > > --<snip>------------------------------------- > > I'm attempting to mimic the this template with rsyslog. This is > the > template that I have so far: > > --<snip>------------------------------------- > > # Template for Sagan (for the FIFO) > > $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority- > text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date- > rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" > > # Calling the named pipe... > > *.* |/var/run/sagan.fifo;sagan > > --<snip>------------------------------------- > > Sagan seems to be able to read the events from the named pipe > fine. > I was wonder, based on the functionality, if anyone might see a > better > way to do this? This looks good. The only thing I see instantly is that we could spare a view CPU cycles (with recent v5 builds) if we use a strgen module. A strgen effectively builds the template string via C code instead of the template processor and thus is a bit faster and more flexible. Nothing to really care about for low to medium number of messages, but makes a small difference if you have severl ten-thousand messages per second. It isn't hard to write one and I think I could contribute it some time next week if you find it useful. > I noticed between rsyslog and syslog-ng, the $TAG > and %syslogtag% functionality seems to be a bit different. For > example: > > Syslog-ng "$TAG" == 1e > rsyslog-ng %syslogtag% == the program name (for example: 'rsync:') > I really don't know what syslog-ng does here. Is it really the string 1e or the Ascii char 1e? If so, this is very strange to me. SYSLOG-TAG is defined in RFC5424 and traditional meaning is described in RFC 3164. rsyslog uses these definitions. But I don't know syslog-ng at all, so I do not know what they call the "tag". But obviously they have applied a non-standard meaning to this name. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
