'How to use Sagan with 'rsyslog'

When development for Sagan was started, we where primarily using 'syslog-ng' . However, 'syslog-ng' isn't the only modern Syslog engine out there. We'd also a lot of support behind 'rsyslog'.

"Rsyslog has become the de-facto standard on modern Linux operating systems. It’s high-performance log processing, database integration, modularity and support for multiple logging protocols make it the sysadmin’s logging daemon of choice. The project was started in 2004 and has since then evolved rapidly."

'Rsyslog' is used in various Linux distribution as the 'default' syslog daemon. For example; Fedora, openSUSE, Debian and Ubuntu use Rsyslog by default. Even non-Linux based system have support for 'Rsyslog' (FreeBSD, OpenBSD, Solaris, etc). Considering the wide spread support for 'Rsyslog', we thought it would be foolish to not have Sagan support it as well. Fortunately, due to the design of Sagan, supporting and using 'Rsyslog' with Sagan is a breeze.

The idea very similar to how we operate Sagan with Syslog-ng in "FIFO" (named pipe) mode. That is, when Syslog-ng receives a message, we configure it to also 'write' that syslog message to a 'named pipe' (sometimes know as a FIFO). Sagan then 'reads' this FIFO/named pipe and inspects the messages for 'bad things' (security events, etc) based on the Sagan rule set.

We use the exact same idea with Rsyslog. That is, when Rsyslog receives a message, we'll have it send a "copy" of that message to a named pipe/FIFO. Sagan will then read that named pipe/FIFO and inspect the message. The proper template for Rsyslog users is below. This is what you'd place in your 'rsyslog.conf' file.

# The standard "input" template Sagan uses.  Basically the message 'format' Sagan understands.  

$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"  

# The FIFO/named pipe location.  This is what Sagan will read. 

*.*     |/var/run/sagan.fifo;sagan

Sagan and Rsyslog can only operate in FIFO/named pipe mode. Due to the why Rsyslog treats and calls external programs, it's not likely Sagan will support Rsyslog in 'program' mode (like with Syslog-ng). This shouldn't deter you from using Sagan with Rsyslog. Using named pipes/FIFO's is ideal anyways.

If you have a better $template for Rsyslog, please let Champ Clark (champ at softwink.com) know. Thank you.

-- ChampClark - 2010-10-07

Topic revision: r1 - 2010-10-07 - ChampClark
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback