udp(ip(0.0.0.0) port(514));

sathyajith_tekd · ‎03-12-2018

I have created a test environment with a search head,indexer and a heavy forwarder.In the heavy forwarder
I installed and configure syslog-ng,After configuring the syslog-ng am receiving events,So I use monitor
files and directories in the heavy forwarder to monitor and transfer the events to the Indexer.While
checking the firewall events in the search head,heavy forwarder host name as its host . Kindly find
the below syslog-ng.conf. Is it possible to that the syslog-ng itself can forward event to the heavy forwarder
so that the host name will be the network device IP

@version:3.5
@include "scl.conf"

syslog-ng configuration file.
This should behave pretty much like the original syslog on RedHat. But
it could be configured a lot smarter.
See syslog-ng(8) and syslog-ng.conf(5) for more information.
Note: it also sources additional configuration files (*.conf)
located in /etc/syslog-ng/conf.d/

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
system();
internal();

udp(ip(0.0.0.0) port(514));

};

source s_udp514 {
network(
transport("udp")
port(514)
flags(no-parse)
);
};

source s_tcp514 {
network(
transport("tcp")
port(514)
flags(no-parse)
);
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
destination d_udp514 { file("/var/log/udp514.log" template("${MSG}\n")); };
destination d_tcp514 { file("/var/log/tcp514.log" template("${MSG}\n")); };

filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_udp514); destination(d_udp514); };
log { source(s_tcp514); destination(d_tcp514); };

Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

p_gurav · ‎03-13-2018

Is the source name contain hostname in it? If yes try giving host_segment in inputs.conf
Also try below options:

options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (yes);
use_time_recvd (yes);
create_dirs (yes);
keep_hostname (yes);
};

how to configure syslog-ng to get event from firewall such as sophos,fortinet,sonicwall,etc?

udp(ip(0.0.0.0) port(514));

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!