There are some differences between the syslog and the syslog-ng that you need to be aware of. This document explains how to configure the Audit generic recorder to read syslog-ng files which may require custom message parsing files and specific log rotation methods.
The syslog-ng is not officially supported by CA Audit. Although, under many circumstances with a few changes the generic UNIX recorder can be used to read syslog-ng events.
Syslog and syslog-ng are different even though the file format for the individual messages may appear to be similar.
There are several things that you should be aware of when you are attempting to read syslog-ng events using the generic syslog recorder.
The differences can include file location for events, file rotation, file compression and date format.
There are many different syslog-ng and each will include some features that may or may not be configurable.
There are two ways that the UNIX syslog generic recorder will process log files.
(The generic recorder will read the recorder.ini file and check the ConfigFile setting.)
The first is through the syslog.conf and will process the log files defined there.
The other way is to explicitly state which files to process in the LogFiles section of the recorder.ini file.
Wildcards can be used to indicate what files are to be processed.
Here are two examples:
This will indicate that every file in the /usr/adm/ directory will be processed.
This will indicate that every file in the /usr/adm/ directory that starts with log will be processed.
Note: That any trailing characters after the * are ignored. For instance with this example:
This is not a valid extension type for the Audit generic recorder for UNIX.
It is important to note that since the wildcard * is being used that there cannot be any files in the directory that are compressed.
Also, multiple directories are not supported for log rotation. Therefore, if syslog-ng is being used it is important that it be configured to mimic the standard UNIX log file rotation. This file rotation would be where messages becomes messages.0, messages.0 becomes messages.1, and messages.1 becomes messages.2 etc.
Another item to consider is the date format of the syslog-ng may be different than that of syslog. You may need to modify the syslog.mp file if the syslog-ng is using a different time stamp format. The syslog.mp will have a date section. See the example below:
Type = datetime
format = [0-9]*
DateTimeFormat = %m%d%H%M%y
This section may need to be adjusted depending on the format of your events. Note: The mp files use Regex programming language. Additional information on using this programming language is available on the internet or from CA Services team.
Here are the steps that would typically need to be done to configure reading syslog-ng:
- Stop the acrecorderd daemon if it is running.
- Edit the /opt/CA/eTrustAudit/ini/recorder.ini file using a text editor such as vi:
Find the ConfigFile=/etc/syslog.conf
and change it to ConfigFile=
Basically you will be deleting the /etc/syslog.conf portion of the value.
- Next change the value of the DWORD:Source = 1 to DWORD:Source = 0 in the recorder.ini file.
- In the recorder.ini file LogFiles subsection add a line for each of the syslog-ng file you want to process with the syslog generic recorder.
The format to use would be log1= path/file name.
If there is more than one log file you would add an additional line log2 = path/filename.
See the example:
- Save the recorder.ini file.
- Delete the file /opt/CA/eTrustAudit/dat/recorders/syslog.dat
- Restart the daemon acrecrderd.
Note: As mentioned earlier, using syslog-ng is not officially supported.
There are many different versions of syslog-ng and many different versions of UNIX.
These steps can be used for your consideration is syslog-ng is configured in your environment.