rsyslog icon indicating copy to clipboard operation
rsyslog copied to clipboard

Published 20 hours ago verified publisher icon atheriel

Customize log message

Open FrieseWoudloper opened this issue 4 years ago • 4 comments

Is it possible to create this log message using the rsyslog package? So I would like to drop the number between brackets and the space after the colon.

Jun 25 15:10:18 user my_script:Running script.

Edit: To be more precise, I need to create a log message that follows the ArcSight CEF format: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf

FrieseWoudloper avatar Jun 09 '20 08:06 FrieseWoudloper

To clarify: this package does not do any formatting at all -- the header that you see is printed by journalctl. Your document indicates that CEF uses the syslog format, so to use one of its own examples, the following

syslog("CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232")

should be conformant.

Does that make sense?

atheriel avatar Jun 09 '20 17:06 atheriel

On reflection: are you trying to use this package to format messages? Or to write to Syslog? If you don't actually need to write to the Linux system log, this is not the right package to use.

If you're just trying to output messages in CEF, why not write something like the following?

cat(sprintf("%s %s %s\n", format(Sys.time(), "%b %e %H:%M:%S"), Sys.info()["nodename"], "CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232"))
#> Jun  9 17:19:05 d-rndvm-l1 CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232

Or, alternatively, use a real logging package like log4r (which I maintain), lgr, logger, etc where you can control the formatting.

atheriel avatar Jun 09 '20 17:06 atheriel

Thank you for your response! I'm so sorry for the confusion. I really am a newbie when it comes to logging. I'll try to clarify my question.

  • I need to write an event to the local syslog.
  • The event will be harvested by an ArcSight SIEM (using rsyslog).
  • In order to achieve this, the event must adhere to the ArcSight CEF standard.
  • According to our system administrator, I now have the message part right (thanks to your help :-)
  • However the event header is something like Jun 25 15:10:18 host process. Host should be a fully qualified domain name (fqdn). At present, that is not the case. Also process should be removed from the header. The header should only contain date/time and host.

What would be the best way to achieve this?

Thank you so much for your help. I'm really struggling with this.

FrieseWoudloper avatar Jun 10 '20 14:06 FrieseWoudloper

Do I understand you correctly that I also can use log4r for writing an event to the syslog? If so, could you please provide me with an example?

FrieseWoudloper avatar Jun 11 '20 07:06 FrieseWoudloper