Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.4k stars 1.06k forks source link

Syslog Format vom syslog-ng 2.0.9 is not parsed correctly #7398

Open Tux12Fun opened 4 years ago

Tux12Fun commented 4 years ago

I have a fresh Graylog 3.2 installation and try to forward my Log Messages into Graylog. All messages that i deliver from rsyslog are corretly paresed but the messages form syslog-ng are wrong.

Expected Behavior

I woud expect (message field): syslog-ng shutting down; version='2.0.9' (application_name field): syslog-ng

This beavior i can see on messages from RSYSLOG with "RSYSLOG_SyslogProtocol23Format" But not on messages from syslog-ng 2.0.9

I beleve the message from syslog-ng ist rfc3164 and this format is not correctly parsed. While rsyslog sinds in rfc2454 format that is correctly parsed.

I've started a netcat to view the Message. It Looks like this: ` SYSLOG-NG:

<45>Feb 5 12:28:49 ShortSysName syslog-ng[23778]: syslog-ng starting up; version='2.0.9' <6>Feb 5 12:28:54 ShortSysName kernel: klogd 1.4.1, log source = /proc/kmsg started. <6>Feb 5 12:29:09 ShortSysName kernel: Kernel logging (proc) stopped. <6>Feb 5 12:29:09 ShortSysName kernel: Kernel log daemon terminating. <46>Feb 5 12:29:09 ShortSysName syslog-ng[23778]: Termination requested via signal, terminating; <45>Feb 5 12:29:09 ShortSysName syslog-ng[23778]: syslog-ng shutting down; version='2.0.9' RSYSLOG: <85>1 2020-02-05T12:30:24.849717+01:00 system.xxxx.local sudo - - - nagios : TTY=unknown ; PWD=/ ; USER=xyz ; COMMAND=/etc/nagios/zce/check_jstat.bash -g ` So I think this is complient to the RFC Spec and sould be parsed correct. I would expect not to see the System name in the message field for syslog-ng and the application_name field to be set from default syslog_udp input. ## Current Behavior From syslog-ng messages I have the message like this: ShortSysName syslog-ng[23834]: syslog-ng shutting down; version='2.0.9' ## Possible Solution ## Steps to Reproduce (for bugs) 1. use syslog-ng 2.0.9 with this config `` destination logserver { udp("xxx.xxx.xxx.xxx" port(514) ); }; log { source(src); destination(logserver); }; `` 2. Create a input with syslog_udp 3. Review the message field ## Context ## Your Environment * Graylog Version: Graylog 3.1.4+1149fe1 * Elasticsearch Version: elasticsearch 5.6.16 * MongoDB Version: 1:3.6.3-0ubuntu1.1 * Operating System: (Ubuntu 18.0.4 on Linux 4.15.0-66-generic) * Browser version: Google Chrome 79
jalogisch commented 4 years ago

He @Tux12Fun do you mind and check if the configuration we communicate in the documentation is causing the same problems.

# Define TCP syslog destination.
destination d_net {
    syslog("graylog.example.org" port(514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
    source(s_src); # Defined in the default syslog-ng configuration.
    destination(d_net);
};
Tux12Fun commented 4 years ago

I'm sorry, but I can't set syslog as output, because the syslog-ng 2.0.9 seams to miss output syslog module and only supports udp module :-(

If I add syslog as output as your example shows. I'm unable to restart the syslog-ng service.

Tux12Fun commented 4 years ago

@jalogisch Sorry I copied the wrong version to this Ticket. My Graylog Version is:

ii graylog-server 3.2.1-1 all Graylog server

I've done a update to the latest version to see if the problem was fixed in the meantime. But the behavior hasn't changed between 3.1 and 3.2

Tux12Fun commented 4 years ago

Now I tested if there is any difference between tcp and udp. But unfortunately thre is no difference.

Tux12Fun commented 4 years ago

I've built a workaround for me with rewriting the Messages with a Pipline and Regex Process.