Hello all!
I've been working on a project known as "Sagan" for some time.
Basically, Sagan uses a 'Snort like' (IDS/IPS) rule set and can detect
when "back things" are happening and correlate that information with your
IDS/IPS Snort back end. For more information about Sagan, please see:http://sagan.softwink.com When I started writing Sagan, it was syslog-ng centric. However, considering the amount of rsyslog users, I decided to take a shot at making Sagan work with rsyslog. T'was a breeze, and over all, I'm dang impressed with rsyslog's functionality. Sagan 'read' a named pipe (FIFO) for events, then uses it's rule set to 'parse' these events for 'bad things' happening (attacks, system problems, etc). In the syslog-ng world, my template for Sagan is: --<snip>------------------------------------- destination sagan { pipe("/var/run/sagan.fifo" template("$SOURCEIP|$FACILITY|$PRIORITY|$LEVEL|$TAG|$YEAR-$MONTH-$DAY|$HOUR:$MIN:$SEC|$PROGRAM|$MSG\n") template-escape(no)); }; --<snip>------------------------------------- I'm attempting to mimic the this template with rsyslog. This is the template that I have so far: --<snip>------------------------------------- # Template for Sagan (for the FIFO) $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" # Calling the named pipe... *.* |/var/run/sagan.fifo;sagan --<snip>------------------------------------- Sagan seems to be able to read the events from the named pipe fine. I was wonder, based on the functionality, if anyone might see a better way to do this? I noticed between rsyslog and syslog-ng, the $TAG and %syslogtag% functionality seems to be a bit different. For example: Syslog-ng "$TAG" == 1e rsyslog-ng %syslogtag% == the program name (for example: 'rsync:') Other than this, it seems to function as normal. Does any one know how syslog-ng verses rsyslog treats 'tags'. Thanks in advance. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpJcjopMq9pb.pgp
Description: PGP signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
