RFC5424 Archives

LogAnalyzer: Facility and Severity is missing

By adisconteamPosted on June 19, 2015Posted in FAQTagged default, facility, LogAnalyzer, logfile, logstream, missing, RFC5424, severity, source, tabs, template

Question: I use a logfile of rsyslog as source type in LogAnalyzer, everything is good but the facility and severity information tabs of the messages are missing, like in this screenshot.

Answer: The solution is rather simple, your current file template does not contain syslog priority or facility. Kindly switch to RSYSLOG_SyslogProtocol23Format which is RFC5424 format which contains the required information. You can use the template for a single action or you can use it as the default template. Below you can find a example for both cases:
Please note that this example only apply to a single logfile:

mail.* /var/log/maillog;RSYSLOG_SyslogProtocol23Format

This is the example for a default template:

$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

Please note that you need to change the logfile type to RSyslog Format23 in your Loganalyzer logstream sources as well. You can do that by editing the “config.php” of LogAnalyzer.
Open the “config.php” with your favourite editor and add the following line to the correct source:

$CFG[‘Sources’][‘Source1’][‘LogLineType’] = “Syslog23”;

Afterwards the configuration should look like this.
Don’t forget to save the changes. Now you can refresh the Webpanel of LogAnalyzer and then you should see the facility and severity missing information tabs, like in this screenshot.

How to add a HMAC to RFC5424 structured data messages

By Adiscon SupportPosted on September 27, 2013Posted in FAQTagged HMAC, IANA, mmrfc5424addhmac, RFC5424, SD-ID, structured data

rsyslog features a new message modification module, that will check for the SD ID in RFC5424 messages and append a HMAC hash to the structured data part of the message. Please note, that even if the module works on all messages, only RFC5424 messages will be processed.

Before starting, you need a private Enterprise Number from IANA so you can use the module to add the HMAC hash to the message.

For the functionality you need the module “mmrfc5424addhmac”. This is currently available only in the git master branch and will be first released in the next devel release 7.5.4 and for stable in 7.6.0.

When doing the configure, please do not forget to enable this module:

./configure --prefix=/usr --enable-imtcp --enable-mmrfc5424addhmac

Now for the configuration:

module(load="imtcp")
module(load="mmrfc5424addhmac")

input(type="imtcp" port="514")

action(type="mmrfc5424addhmac" key="yourenterprisekey" hashFunction="sha256" sd_id="id@32473")

template(name="addhmac" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% 
%APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

action(type="omfile" file="/var/log/logfile" template="addhmac")

This is a relatively simple configuration. We load the modules imtcp and mmrfc5424addhmac. We will receive all RFC5424 messages through our tcp input. The really interesting part are the actions. Since we need to modify the messages, we need an action with the message modification module. As parameters for the action we define a key that will be used to create the hash, choose a hash function (basically all hash functions from openssl work) and define our SD ID which consists of a name, “@” and the ID received from IANA.

The message will be parsed for the ID, if it exists, a hash will be generated and appended to the structured data of the message.

Now we need to do something with these messages. The template above is a RFC5424 representation and gives out accordingly formatted messages. As follow-up action we will write all messages into a file. Alternatively, you could also forward them to another host or write them into a database.