SlideShare una empresa de Scribd logo

Rsyslog log normalization

Rainer Gerhards
Rainer Gerhards

Learn about structured logging with rsyslog and how it can be used to do actual format conversions. Include config samples for Linux and Windows log sources.

TecnologíaEducación
1 de 37
Log Message Processing, Formatting and Normalizing with Rsyslog Rainer Gerhards
Rainer Gerhards, http://blog.gerhards.net What's in this talk? • Some Logging Basics • A practical Usage Scenario • Logging APIs • Background information on rsyslog processing
Rainer Gerhards, http://blog.gerhards.net Why Logging? • Troubleshooting • Security Alerting (e.g. SIEM) • Legal Requirements (e.g. banks) • Evidence in Court • Billing (e.g. Telecom Industry)
Rainer Gerhards, http://blog.gerhards.net Logging is simple, isn't it? • Just generate a log record when something interesting happens • BUT ▫ What is “interesting”? ▫ What is required to describe the event? ▫ How do we know what the actual data item means? ▫ What does a log record look like? • So... making sense out of logs, especially in a heterogeneous environment, is far from being simple...
Rainer Gerhards, http://blog.gerhards.net The Logging Dilemma • There is no universally accepted format • Logs looking very much the same describe different events • The same event is described in very different- looking log records • Often, pseudo-free-form text is used • For consumers, it is very hard to digest even a decent subset of important logging formats
Rainer Gerhards, http://blog.gerhards.net It's a real-world problem! One day in my mailbox... “I am working with a customer who is deploying a large rsyslog environment for central logging. Basically they want a cluster of boxes to act as the "log of record". They would also like to have the logs fed to a couple security products for analysis. The customer has a limited budget so having each vendor write parsers is cost prohibitive. ”
Rainer Gerhards, http://blog.gerhards.net Log Producers & Consumers Linux Boxes WindowsOther *nix FirewallsApps Security Analyzer I Log Storage Security Analyzer n Capacity Planning Billing ?
Rainer Gerhards, http://blog.gerhards.net Some important log sources • Free-form text formats ▫ Traditional syslog messages ▫ Application text log files • Structured formats ▫ Windows Event Log ▫ Linux Journal (today mostly text messages) ▫ Application text log files (XML, CSV, WELF, Apache CLF, whatever) ▫ SNMP traps ▫ New-style syslog
Rainer Gerhards, http://blog.gerhards.net How to solve that dilemma? • Several efforts try very hard to solve this ▫ For many years ▫ With limited success • Resulted in approach named “Common Event Expression” (CEE) ▫ Cross vendor team (both OSS & commercial) ▫ Driven by US MITRE ▫ Build on existing infrastructure
Rainer Gerhards, http://blog.gerhards.net
Rainer Gerhards, http://blog.gerhards.net CEE's core ideas • Keep it simple & extensible • Support existing technology • As far as the format is concerned ▫ name/value pairs ▫ Keep the structure as flat as possible, but permit some hierarchy ▫ Keep dictionaries of field names, syntax and semantic ▫ Profiles specify what needs to be present in specific event types
Rainer Gerhards, http://blog.gerhards.net Project Lumberjack • Born on last years Fedora DevConf, right here! • Intends to ▫ Build on CEE and drive the ideas further ▫ Provide open source implementation of core functionality ▫ Deliver something that actually works • Driven by Logging Professionals from Red Hat, Balabit (syslog-ng) and Adiscon (rsyslog), open to everyone else
Rainer Gerhards, http://blog.gerhards.net What did we do the past year? • Agree on the log format • Made rsyslog fully lumberjack-aware • Made Adiscon's Windows Products fully lumberjack-aware • Made syslog-ng fully lumberjack-aware • Create new syslog API --> libumberlog
Rainer Gerhards, http://blog.gerhards.net Back to my mailbox... “I am working with a customer who is deploying a large rsyslog environment for central logging. Basically they want a cluster of boxes to act as the "log of record". They would also like to have the logs fed to a couple security products for analysis. The customer has a limited budget so having each vendor write parsers is cost prohibitive. A commonality for each of the additional destinations is the ability to ingest logs in <some common format>. I believe rsyslog has the capability to alter the output...”
Rainer Gerhards, http://blog.gerhards.net Rsyslog as converter rsyslogd Linux Boxes WindowsOther *nix FirewallsApps Security Analyzer I Log Storage Security Analyzer n Capacity Planning Billing
Rainer Gerhards, http://blog.gerhards.net Some rsyslog basics • Ruleset ▫ Like a function in a programming language ▫ Consists of (conditional) statements and actions ▫ Can be called from another ruleset or bound to a listener • Variables ▫ Message Variables (e.g. $msg, $rawmsg) ▫ System Variables (e.g. $$now) ▫ Structured Variables: form a tree-like structure, e.g. $! usr!somevar
Rainer Gerhards, http://blog.gerhards.net Let's look at a practical case • Goal: Unified log files with logon/logoff report ▫ For processing by backend tools (not shown) ▫ concentrate on just four fields: host system, reception time, username, logon/logoff status • Inputs ▫ Linux: traditional text log messages ▫ Windows: different Agents • Output ▫ Lumberjack JSON style ▫ CSV
Rainer Gerhards, http://blog.gerhards.net Have rsyslog gather the data module(load="imtcp") /* We assume to have all TCP logging (for simplicity) * Note that we use different ports to point different sources * to the right rule sets for normalization. While there are * other methods (e.g. based on tag or source), using multiple * ports is both the easiest as well as the fastest. */ input(type="imtcp" port="13514" Ruleset="WindowsRsyslog") input(type="imtcp" port="13515" Ruleset="LinuxPlainText") input(type="imtcp" port="13516" Ruleset="WindowsSnare")
Rainer Gerhards, http://blog.gerhards.net The Linux Input Data sample • Free-text format Jan 16 09:28:33 rger-virtual-machine sudo: pam_unix(sudo:session): session opened for user root by rger(uid=1000) Jan 16 09:28:33 rger-virtual-machine sudo: pam_unix(sudo:session): session closed for user root Jan 24 02:38:49 rger-virtual-machine sshd[2414]: pam_unix(sshd:session): session opened for user rger by (uid=0) Jan 24 02:41:22 rger-virtual-machine sshd[2414]: pam_unix(sshd:session): session closed for user rger • Free-text format
Rainer Gerhards, http://blog.gerhards.net Parsing Free-Text Messages: mmnormalize • Uses a “sample rule base” ▫ One sample for each expected message type ▫ Sample contains text (for matching) and property descriptions (like IPv4 Address, char-matches, …) ▫ If sample matches, corresponding properties are extracted ▫ Special parser for iptables • Also implemented as an action • Very fast algorithm (much faster than regex) • Based on liblognorm (which you can use in your own programs to gain this functionality!)
Rainer Gerhards, http://blog.gerhards.net Needs to be normalized • Job for rsyslog's mmnormalize • rulebase: # SSH and sudo logins prefix=%rcvdat:date-rfc3164% %rcvdfrom:word% rule=: sshd[%-:number%]: pam_unix(sshd:session): session %type:word% for user %user:word% by (uid=%-:number%) rule=: sshd[%-:number%]: pam_unix(sshd:session): session %type:word% for user %user:word%rule=: sudo: pam_unix(sudo:session): session %type:word% for user root by %user:char-to:(%(uid=%-:number%) rule=: sudo: pam_unix(sudo:session): session %type:word% for user %user:word%
Rainer Gerhards, http://blog.gerhards.net Putting it all together: /* plain Linux log messages (here: ssh and sudo) need to be * parsed - we use mmnormalize for fast and efficient parsing * here. */ ruleset(name="LinuxPlainText") { action(type="mmnormalize" rulebase="/home/rger/proj/rsyslog/linux.rb" userawmsg="on") if $parsesuccess == "OK" and $!user != "" then { if $!type == "opened" then set $!usr!type = "logon"; else if $!type == "closed" then set $!usr!type = "logoff"; set $!usr!rcvdfrom = $!rcvdfrom; set $!usr!rcvdat = $!rcvdat; set $!usr!user = $!user; call outwriter } }
Rainer Gerhards, http://blog.gerhards.net Windows Horrors: SNARE • Tab-delimited mess: <131>Feb 10 15:48:12 Win2008StdR2x64_vm MSWinEventLog#0111#011Security#0114#011Tue Feb 05 16:39:27 2013#0114624#011Microsoft-Windows-Security- Auditing#011WIN2008STDR2X64Administrator#011N/A#011Success Audit#011Win2008StdR2x64_vm#011Anmelden#011#011Ein Konto wurde erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN2008STDR2X64$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmeldetyp: 2 Neue Anmeldung: Sicherheits-ID: S-1-5-21-3148105976-3029560809- 1855765213-500 Kontoname: Administrator Kontodomäne: WIN2008STDR2X64 Anmelde-ID: 0x1d1feb Anmelde-GUID: {00000000-0000-0000-0000- 000000000000} Prozessinformationen: Prozess-ID: 0xc40 Prozessname: C:WindowsSystem32winlogon.exe Netzwerkinformationen: Arbeitsstationsname: WIN2008STDR2X64 Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 Detaillierte Authentifizierungsinformationen: Anmeldeprozess: User32 Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer
Rainer Gerhards, http://blog.gerhards.net Anyhow... digest by position: ruleset(name="WindowsSnare") { set $!usr!type = field($rawmsg, "#011", 6); if $!usr!type == 4634 then { set $!usr!type = "logoff"; set $!doProces = 1; } else if $!usr!type == 4624 then { set $!usr!type = "logon"; set $!doProces = 1; } else set $!doProces = 0; if $!doProces == 1 then { set $!usr!rcvdfrom = field($rawmsg, 32, 4); set $!usr!rcvdat = field($rawmsg, "#011", 5); /* we need to fix up the snare date */ set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " & field($!usr!rcvdat, 32, 3) & " " & field($!usr!rcvdat, 32, 4); set $!usr!user = field($rawmsg, "#011", 8); call outwriter } }
Rainer Gerhards, http://blog.gerhards.net Windows: rsyslog Agent • Native Lumberjack format with Windows field names • A structured mess ;-) <133>Feb 05 11:15:56 win7fr.intern.adiscon.com EvntSLog: @cee: {"source": "win7fr.intern.adiscon.com", "nteventlogtype": "Security", "sourceproc": "Microsoft- Windows-Security-Auditing", "id": "4634", "categoryid": "12545", "category": "12545", "keywordid": "0x8020000000000000", "user": "NA", "TargetUserSid": "S-1-5-21- 803433813-209592097-1264475144-8733", "TargetUserName": "fr", "TargetDomainName": "ADISCON", "TargetLogonId": "0xb8c7aed", "LogonType": "7", "catname": "Logoff", "keyword": "Audit Success", "level": "Information", "msg": "An account was logged off.rnrnSubject:rntSecurity ID:ttS-1-5-21- 803433813-209592097-1264475144-8733rntAccount Name:ttfrrntAccount Domain:ttADISCONrntLogon ID:tt0xb8c7aedrnrnLogon Type:ttt7rnrnThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."}
Rainer Gerhards, http://blog.gerhards.net Parsing Lumberjack Data: mmjsonparse • Checks if message contains Lumberjack structured data ▫ If so  parse out fields  Use field names directly from the message ▫ If not: populate Lumberjack msg field • Implemented via action interface ▫ Can be called based on rules, thus only for specific events
Rainer Gerhards, http://blog.gerhards.net Reading the Lumberjack Data: /* the rsyslog Windows Agent uses native Lumberjack format * (better said: is configured to use it) */ ruleset(name="WindowsRsyslog") { action(type="mmjsonparse") if $parsesuccess == "OK" then { if $!id == 4634 then set $!usr!type = "logoff"; else if $!id == 4624 then set $!usr!type = "logon"; set $!usr!rcvdfrom = $!source; set $!usr!rcvdat = $timereported; set $!usr!user = $!TargetDomainName & "" & $!TargetUserName; call outwriter } }
Rainer Gerhards, http://blog.gerhards.net What did we do so far? • We accepted input from three different sources ▫ Free-form text ▫ Tab-delimited semi-structured ▫ Native Lumberjack • We extracted the same information items from these messages • And stored these inside the $!usr branch variables
Rainer Gerhards, http://blog.gerhards.net So we now need to write the normalized output! /* this ruleset simulates forwarding to the final destination */ ruleset(name="outwriter"){ action(type="omfile" file="/home/rger/proj/rsyslog/logfile.csv" template="csv") action(type="omfile" file="/home/rger/proj/rsyslog/logfile.cee" template="cee") }
Rainer Gerhards, http://blog.gerhards.net Templates do the actual work template(name="csv" type="list") { property(name="$!usr!rcvdat" format="csv") constant(value=",") property(name="$!usr!rcvdfrom" format="csv") constant(value=",") property(name="$!usr!user" format="csv") constant(value=",") property(name="$!usr!type" format="csv") constant(value="n") } template(name="cee" type="string" string="@cee: %$!usr%n")
Rainer Gerhards, http://blog.gerhards.net And this is a combined CEE output file: @cee: { "type": "logon", "rcvdfrom": "rger-virtual-machine", "rcvdat": "Jan 16 09:28:33", "user": "root" } @cee: { "type": "logoff", "rcvdfrom": "rger-virtual-machine", "rcvdat": "Jan 16 09:28:33", "user": "root" } @cee: { "type": "logon", "rcvdfrom": "Win2008StdR2x64_vm", "rcvdat": "Feb 05 16:39:27", "user": "WIN2008STDR2X64Administrator" } @cee: { "type": "logoff", "rcvdfrom": "WIN-VSBQP2NOITT", "rcvdat": "Jan 25 15:44:35", "user": "WIN-VSBQP2NOITTte" } @cee: { "type": "logoff", "rcvdfrom": "win7fr.intern.adiscon.com", "rcvdat": "Feb 5 11:15:56", "user": "ADISCONfr" } @cee: { "type": "logon", "rcvdfrom": "win7fr.intern.adiscon.com", "rcvdat": "Feb 5 13:41:28", "user": "NT AUTHORITYSYSTEM" }
Rainer Gerhards, http://blog.gerhards.net And the same in CSV: "Jan 16 09:28:33","rger-virtual-machine","root","logon" "Jan 16 09:28:33","rger-virtual-machine","root","logoff" "Jan 24 02:38:49","rger-virtual-machine","rger","logon" "Feb 05 16:39:27","Win2008StdR2x64_vm","WIN2008STDR2X64Administrator","logon" "Jan 25 15:44:35","WIN-VSBQP2NOITT","WIN-VSBQP2NOITTte","logoff" "Feb 5 11:15:56","win7fr.intern.adiscon.com","ADISCONfr","logoff" "Feb 5 13:41:28","win7fr.intern.adiscon.com","NT AUTHORITYSYSTEM","logon"
Rainer Gerhards, http://blog.gerhards.net Of course, this is just a small example, but • It shows how all the pieces can be put together • mmnormalize is a very important building block to integrate free-form text logs, no matter what the source is • The output format is highly flexible • Of course, structured outputs like MongoDB or Elasticsearch are also supported • We can emit almost all output formats, new ones requires relatively little work in rsyslog's engine
Rainer Gerhards, http://blog.gerhards.net Bottom line • Rsyslog can act today as an universal log format translator • We hope that consumer tools will make use of the simple-to-process lumberjack format • HOWEVER, we can already convert into what today's real-world analysis tools can digest
Rainer Gerhards, http://blog.gerhards.net Once again back to my inbox... • “I know this is asking a lot since rsyslog would have to do a bunch of processing. I also understand there may be a delay in log delivery due to the processing.” • Well … actually it's far from being as bad as described: ▫ Structured logs are ingested very quickly ▫ Liblognorm/mmnormalize is extremely fast in converting classical text logs ▫ Reformatting is done always in any case, so... ;-)
Rainer Gerhards, http://blog.gerhards.net Long-Term Vision • There NEVER will be a single format ▫ Political reasons (vendors, projects, history, ...) ▫ Need for new features/functionality • BUT: use as few as possible ▫ Less hassle for producer and consumer devs ▫ Forces closed source vendors to support these standard, making it easier for the OSS guys ▫ Big win for Enterprise folks who get plug&play • We hope that Lumberjack will be dominant ▫ Stack already in place ▫ Good & simple solution ▫ Rsyslog converts everything running on Linux
Rainer Gerhards, http://blog.gerhards.net Questions? • Please direct them to the rsyslog mailing list • Listinfo: http://lists.adiscon.net/mailman/listinfo/rsyslog

Recomendados

Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Vue.js
Vue.jsVue.js
Vue.jsJadson Santos
 
GitLab과 Kubernetes를 통한 CI/CD 구축
GitLab과 Kubernetes를 통한 CI/CD 구축GitLab과 Kubernetes를 통한 CI/CD 구축
GitLab과 Kubernetes를 통한 CI/CD 구축철구 김
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
Prometheus on EKS
Prometheus on EKSPrometheus on EKS
Prometheus on EKSJo Hoon
 
Understand the iptables step by step
Understand the iptables step by stepUnderstand the iptables step by step
Understand the iptables step by stepHungWei Chiu
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx EssentialGong Haibing
 

Recomendados

Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Vue.js
Vue.jsVue.js
Vue.jsJadson Santos
 
GitLab과 Kubernetes를 통한 CI/CD 구축
GitLab과 Kubernetes를 통한 CI/CD 구축GitLab과 Kubernetes를 통한 CI/CD 구축
GitLab과 Kubernetes를 통한 CI/CD 구축철구 김
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
Prometheus on EKS
Prometheus on EKSPrometheus on EKS
Prometheus on EKSJo Hoon
 
Understand the iptables step by step
Understand the iptables step by stepUnderstand the iptables step by step
Understand the iptables step by stepHungWei Chiu
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx EssentialGong Haibing
 
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개OpenStack Korea Community
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringShapeBlue
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirtplarsen67
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub ActionsKnoldus Inc.
 
Implementing SSH in Java
Implementing SSH in JavaImplementing SSH in Java
Implementing SSH in JavaAtsuhiko Yamanaka
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsBrendan Gregg
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1Cheng Hsien Chen
 
OpenAPI development with Python
OpenAPI development with PythonOpenAPI development with Python
OpenAPI development with PythonTakuro Wada
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례Open Source Consulting
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupVietnam Open Infrastructure User Group
 
Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Chris Simmonds
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOpsBrice Fernandes
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - IntroductionStephane Manciot
 
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...whywaita
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operatorjaormx
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPCheng Wig
 
Rsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRainer Gerhards
 
TYPO3 & Composer
TYPO3 & ComposerTYPO3 & Composer
TYPO3 & ComposerArmin Vieweg
 

Más contenido relacionado

La actualidad más candente

[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개OpenStack Korea Community
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringShapeBlue
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirtplarsen67
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub ActionsKnoldus Inc.
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsBrendan Gregg
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1Cheng Hsien Chen
 
OpenAPI development with Python
OpenAPI development with PythonOpenAPI development with Python
OpenAPI development with PythonTakuro Wada
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Chris Simmonds
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOpsBrice Fernandes
 
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...whywaita
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operatorjaormx
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPCheng Wig
 

La actualidad más candente (20)

[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
[OpenStack Days Korea 2016] Track2 - 아리스타 OpenStack 연동 및 CloudVision 솔루션 소개
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uring
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirt
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub Actions
 
Implementing SSH in Java
Implementing SSH in JavaImplementing SSH in Java
Implementing SSH in Java
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1Camera2 API, SHIM, and HAL 3.2 in Android 5.1
Camera2 API, SHIM, and HAL 3.2 in Android 5.1
 
OpenAPI development with Python
OpenAPI development with PythonOpenAPI development with Python
OpenAPI development with Python
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to Nginx
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetup
 
Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
 
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 

Destacado

Rsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRainer Gerhards
 
Chef Fundamentals Training Series Module 2: Workstation Setup
Chef Fundamentals Training Series Module 2: Workstation SetupChef Fundamentals Training Series Module 2: Workstation Setup
Chef Fundamentals Training Series Module 2: Workstation SetupChef Software, Inc.
 
Composer und TYPO3
Composer und TYPO3Composer und TYPO3
Composer und TYPO3Peter Kraume
 
Frontend Formulare in TYPO3 8 LTS
Frontend Formulare in TYPO3 8 LTSFrontend Formulare in TYPO3 8 LTS
Frontend Formulare in TYPO3 8 LTSPeter Kraume
 
TYPO3 Monitoring mit t3monitoring
TYPO3 Monitoring mit t3monitoringTYPO3 Monitoring mit t3monitoring
TYPO3 Monitoring mit t3monitoringPeter Kraume
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with ChefAdam Jacob
 

Destacado (8)

Rsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal Presentation
 
TYPO3 & Composer
TYPO3 & ComposerTYPO3 & Composer
TYPO3 & Composer
 
Chef Fundamentals Training Series Module 2: Workstation Setup
Chef Fundamentals Training Series Module 2: Workstation SetupChef Fundamentals Training Series Module 2: Workstation Setup
Chef Fundamentals Training Series Module 2: Workstation Setup
 
Composer und TYPO3
Composer und TYPO3Composer und TYPO3
Composer und TYPO3
 
Frontend Formulare in TYPO3 8 LTS
Frontend Formulare in TYPO3 8 LTSFrontend Formulare in TYPO3 8 LTS
Frontend Formulare in TYPO3 8 LTS
 
TYPO3 Monitoring mit t3monitoring
TYPO3 Monitoring mit t3monitoringTYPO3 Monitoring mit t3monitoring
TYPO3 Monitoring mit t3monitoring
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with Chef
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 

Similar a Rsyslog log normalization

Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkRainer Gerhards
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Hernan Costante
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchVic Hargrave
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at nightMichael Yarichuk
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log seasonEric Luellen
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetJuan Berner
 
Troubleshooting .NET Applications on Cloud Foundry
Troubleshooting .NET Applications on Cloud FoundryTroubleshooting .NET Applications on Cloud Foundry
Troubleshooting .NET Applications on Cloud FoundryAltoros
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric ToolsPhase2
 
Application Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.keyApplication Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.keyTim Bunce
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRoberto Franchini
 
Webinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationWebinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationMongoDB
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...BalaBit
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.Rainer Gerhards
 

Similar a Rsyslog log normalization (20)

Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at night
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budget
 
Troubleshooting .NET Applications on Cloud Foundry
Troubleshooting .NET Applications on Cloud FoundryTroubleshooting .NET Applications on Cloud Foundry
Troubleshooting .NET Applications on Cloud Foundry
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
 
Figaro
FigaroFigaro
Figaro
 
Application Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.keyApplication Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.key
 
Docker Logging Webinar
Docker Logging WebinarDocker Logging Webinar
Docker Logging Webinar
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time stream
 
Webinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationWebinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail Application
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
 

Más de Rainer Gerhards

Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?Rainer Gerhards
 
Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)Rainer Gerhards
 
The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)Rainer Gerhards
 
Wetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die GrundschuleWetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die GrundschuleRainer Gerhards
 
Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)Rainer Gerhards
 
CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"Rainer Gerhards
 
Status of syslog as of 2005
Status of syslog as of 2005Status of syslog as of 2005
Status of syslog as of 2005Rainer Gerhards
 
LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)Rainer Gerhards
 

Más de Rainer Gerhards (10)

Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets docker
 
Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)
 
The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)
 
Wetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die GrundschuleWetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die Grundschule
 
Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)
 
CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"
 
State of syslog (2005)
State of syslog (2005)State of syslog (2005)
State of syslog (2005)
 
Status of syslog as of 2005
Status of syslog as of 2005Status of syslog as of 2005
Status of syslog as of 2005
 
LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)
 

Último

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Rsyslog log normalization

  • 1. Log Message Processing, Formatting and Normalizing with Rsyslog Rainer Gerhards
  • 2. Rainer Gerhards, http://blog.gerhards.net What's in this talk? • Some Logging Basics • A practical Usage Scenario • Logging APIs • Background information on rsyslog processing
  • 3. Rainer Gerhards, http://blog.gerhards.net Why Logging? • Troubleshooting • Security Alerting (e.g. SIEM) • Legal Requirements (e.g. banks) • Evidence in Court • Billing (e.g. Telecom Industry)
  • 4. Rainer Gerhards, http://blog.gerhards.net Logging is simple, isn't it? • Just generate a log record when something interesting happens • BUT ▫ What is “interesting”? ▫ What is required to describe the event? ▫ How do we know what the actual data item means? ▫ What does a log record look like? • So... making sense out of logs, especially in a heterogeneous environment, is far from being simple...
  • 5. Rainer Gerhards, http://blog.gerhards.net The Logging Dilemma • There is no universally accepted format • Logs looking very much the same describe different events • The same event is described in very different- looking log records • Often, pseudo-free-form text is used • For consumers, it is very hard to digest even a decent subset of important logging formats
  • 6. Rainer Gerhards, http://blog.gerhards.net It's a real-world problem! One day in my mailbox... “I am working with a customer who is deploying a large rsyslog environment for central logging. Basically they want a cluster of boxes to act as the "log of record". They would also like to have the logs fed to a couple security products for analysis. The customer has a limited budget so having each vendor write parsers is cost prohibitive. ”
  • 7. Rainer Gerhards, http://blog.gerhards.net Log Producers & Consumers Linux Boxes WindowsOther *nix FirewallsApps Security Analyzer I Log Storage Security Analyzer n Capacity Planning Billing ?
  • 8. Rainer Gerhards, http://blog.gerhards.net Some important log sources • Free-form text formats ▫ Traditional syslog messages ▫ Application text log files • Structured formats ▫ Windows Event Log ▫ Linux Journal (today mostly text messages) ▫ Application text log files (XML, CSV, WELF, Apache CLF, whatever) ▫ SNMP traps ▫ New-style syslog
  • 9. Rainer Gerhards, http://blog.gerhards.net How to solve that dilemma? • Several efforts try very hard to solve this ▫ For many years ▫ With limited success • Resulted in approach named “Common Event Expression” (CEE) ▫ Cross vendor team (both OSS & commercial) ▫ Driven by US MITRE ▫ Build on existing infrastructure
  • 11. Rainer Gerhards, http://blog.gerhards.net CEE's core ideas • Keep it simple & extensible • Support existing technology • As far as the format is concerned ▫ name/value pairs ▫ Keep the structure as flat as possible, but permit some hierarchy ▫ Keep dictionaries of field names, syntax and semantic ▫ Profiles specify what needs to be present in specific event types
  • 12. Rainer Gerhards, http://blog.gerhards.net Project Lumberjack • Born on last years Fedora DevConf, right here! • Intends to ▫ Build on CEE and drive the ideas further ▫ Provide open source implementation of core functionality ▫ Deliver something that actually works • Driven by Logging Professionals from Red Hat, Balabit (syslog-ng) and Adiscon (rsyslog), open to everyone else
  • 13. Rainer Gerhards, http://blog.gerhards.net What did we do the past year? • Agree on the log format • Made rsyslog fully lumberjack-aware • Made Adiscon's Windows Products fully lumberjack-aware • Made syslog-ng fully lumberjack-aware • Create new syslog API --> libumberlog
  • 14. Rainer Gerhards, http://blog.gerhards.net Back to my mailbox... “I am working with a customer who is deploying a large rsyslog environment for central logging. Basically they want a cluster of boxes to act as the "log of record". They would also like to have the logs fed to a couple security products for analysis. The customer has a limited budget so having each vendor write parsers is cost prohibitive. A commonality for each of the additional destinations is the ability to ingest logs in <some common format>. I believe rsyslog has the capability to alter the output...”
  • 15. Rainer Gerhards, http://blog.gerhards.net Rsyslog as converter rsyslogd Linux Boxes WindowsOther *nix FirewallsApps Security Analyzer I Log Storage Security Analyzer n Capacity Planning Billing
  • 16. Rainer Gerhards, http://blog.gerhards.net Some rsyslog basics • Ruleset ▫ Like a function in a programming language ▫ Consists of (conditional) statements and actions ▫ Can be called from another ruleset or bound to a listener • Variables ▫ Message Variables (e.g. $msg, $rawmsg) ▫ System Variables (e.g. $$now) ▫ Structured Variables: form a tree-like structure, e.g. $! usr!somevar
  • 17. Rainer Gerhards, http://blog.gerhards.net Let's look at a practical case • Goal: Unified log files with logon/logoff report ▫ For processing by backend tools (not shown) ▫ concentrate on just four fields: host system, reception time, username, logon/logoff status • Inputs ▫ Linux: traditional text log messages ▫ Windows: different Agents • Output ▫ Lumberjack JSON style ▫ CSV
  • 18. Rainer Gerhards, http://blog.gerhards.net Have rsyslog gather the data module(load="imtcp") /* We assume to have all TCP logging (for simplicity) * Note that we use different ports to point different sources * to the right rule sets for normalization. While there are * other methods (e.g. based on tag or source), using multiple * ports is both the easiest as well as the fastest. */ input(type="imtcp" port="13514" Ruleset="WindowsRsyslog") input(type="imtcp" port="13515" Ruleset="LinuxPlainText") input(type="imtcp" port="13516" Ruleset="WindowsSnare")
  • 19. Rainer Gerhards, http://blog.gerhards.net The Linux Input Data sample • Free-text format Jan 16 09:28:33 rger-virtual-machine sudo: pam_unix(sudo:session): session opened for user root by rger(uid=1000) Jan 16 09:28:33 rger-virtual-machine sudo: pam_unix(sudo:session): session closed for user root Jan 24 02:38:49 rger-virtual-machine sshd[2414]: pam_unix(sshd:session): session opened for user rger by (uid=0) Jan 24 02:41:22 rger-virtual-machine sshd[2414]: pam_unix(sshd:session): session closed for user rger • Free-text format
  • 20. Rainer Gerhards, http://blog.gerhards.net Parsing Free-Text Messages: mmnormalize • Uses a “sample rule base” ▫ One sample for each expected message type ▫ Sample contains text (for matching) and property descriptions (like IPv4 Address, char-matches, …) ▫ If sample matches, corresponding properties are extracted ▫ Special parser for iptables • Also implemented as an action • Very fast algorithm (much faster than regex) • Based on liblognorm (which you can use in your own programs to gain this functionality!)
  • 21. Rainer Gerhards, http://blog.gerhards.net Needs to be normalized • Job for rsyslog's mmnormalize • rulebase: # SSH and sudo logins prefix=%rcvdat:date-rfc3164% %rcvdfrom:word% rule=: sshd[%-:number%]: pam_unix(sshd:session): session %type:word% for user %user:word% by (uid=%-:number%) rule=: sshd[%-:number%]: pam_unix(sshd:session): session %type:word% for user %user:word%rule=: sudo: pam_unix(sudo:session): session %type:word% for user root by %user:char-to:(%(uid=%-:number%) rule=: sudo: pam_unix(sudo:session): session %type:word% for user %user:word%
  • 22. Rainer Gerhards, http://blog.gerhards.net Putting it all together: /* plain Linux log messages (here: ssh and sudo) need to be * parsed - we use mmnormalize for fast and efficient parsing * here. */ ruleset(name="LinuxPlainText") { action(type="mmnormalize" rulebase="/home/rger/proj/rsyslog/linux.rb" userawmsg="on") if $parsesuccess == "OK" and $!user != "" then { if $!type == "opened" then set $!usr!type = "logon"; else if $!type == "closed" then set $!usr!type = "logoff"; set $!usr!rcvdfrom = $!rcvdfrom; set $!usr!rcvdat = $!rcvdat; set $!usr!user = $!user; call outwriter } }
  • 23. Rainer Gerhards, http://blog.gerhards.net Windows Horrors: SNARE • Tab-delimited mess: <131>Feb 10 15:48:12 Win2008StdR2x64_vm MSWinEventLog#0111#011Security#0114#011Tue Feb 05 16:39:27 2013#0114624#011Microsoft-Windows-Security- Auditing#011WIN2008STDR2X64Administrator#011N/A#011Success Audit#011Win2008StdR2x64_vm#011Anmelden#011#011Ein Konto wurde erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN2008STDR2X64$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmeldetyp: 2 Neue Anmeldung: Sicherheits-ID: S-1-5-21-3148105976-3029560809- 1855765213-500 Kontoname: Administrator Kontodomäne: WIN2008STDR2X64 Anmelde-ID: 0x1d1feb Anmelde-GUID: {00000000-0000-0000-0000- 000000000000} Prozessinformationen: Prozess-ID: 0xc40 Prozessname: C:WindowsSystem32winlogon.exe Netzwerkinformationen: Arbeitsstationsname: WIN2008STDR2X64 Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 Detaillierte Authentifizierungsinformationen: Anmeldeprozess: User32 Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer
  • 24. Rainer Gerhards, http://blog.gerhards.net Anyhow... digest by position: ruleset(name="WindowsSnare") { set $!usr!type = field($rawmsg, "#011", 6); if $!usr!type == 4634 then { set $!usr!type = "logoff"; set $!doProces = 1; } else if $!usr!type == 4624 then { set $!usr!type = "logon"; set $!doProces = 1; } else set $!doProces = 0; if $!doProces == 1 then { set $!usr!rcvdfrom = field($rawmsg, 32, 4); set $!usr!rcvdat = field($rawmsg, "#011", 5); /* we need to fix up the snare date */ set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " & field($!usr!rcvdat, 32, 3) & " " & field($!usr!rcvdat, 32, 4); set $!usr!user = field($rawmsg, "#011", 8); call outwriter } }
  • 25. Rainer Gerhards, http://blog.gerhards.net Windows: rsyslog Agent • Native Lumberjack format with Windows field names • A structured mess ;-) <133>Feb 05 11:15:56 win7fr.intern.adiscon.com EvntSLog: @cee: {"source": "win7fr.intern.adiscon.com", "nteventlogtype": "Security", "sourceproc": "Microsoft- Windows-Security-Auditing", "id": "4634", "categoryid": "12545", "category": "12545", "keywordid": "0x8020000000000000", "user": "NA", "TargetUserSid": "S-1-5-21- 803433813-209592097-1264475144-8733", "TargetUserName": "fr", "TargetDomainName": "ADISCON", "TargetLogonId": "0xb8c7aed", "LogonType": "7", "catname": "Logoff", "keyword": "Audit Success", "level": "Information", "msg": "An account was logged off.rnrnSubject:rntSecurity ID:ttS-1-5-21- 803433813-209592097-1264475144-8733rntAccount Name:ttfrrntAccount Domain:ttADISCONrntLogon ID:tt0xb8c7aedrnrnLogon Type:ttt7rnrnThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."}
  • 26. Rainer Gerhards, http://blog.gerhards.net Parsing Lumberjack Data: mmjsonparse • Checks if message contains Lumberjack structured data ▫ If so  parse out fields  Use field names directly from the message ▫ If not: populate Lumberjack msg field • Implemented via action interface ▫ Can be called based on rules, thus only for specific events
  • 27. Rainer Gerhards, http://blog.gerhards.net Reading the Lumberjack Data: /* the rsyslog Windows Agent uses native Lumberjack format * (better said: is configured to use it) */ ruleset(name="WindowsRsyslog") { action(type="mmjsonparse") if $parsesuccess == "OK" then { if $!id == 4634 then set $!usr!type = "logoff"; else if $!id == 4624 then set $!usr!type = "logon"; set $!usr!rcvdfrom = $!source; set $!usr!rcvdat = $timereported; set $!usr!user = $!TargetDomainName & "" & $!TargetUserName; call outwriter } }
  • 28. Rainer Gerhards, http://blog.gerhards.net What did we do so far? • We accepted input from three different sources ▫ Free-form text ▫ Tab-delimited semi-structured ▫ Native Lumberjack • We extracted the same information items from these messages • And stored these inside the $!usr branch variables
  • 29. Rainer Gerhards, http://blog.gerhards.net So we now need to write the normalized output! /* this ruleset simulates forwarding to the final destination */ ruleset(name="outwriter"){ action(type="omfile" file="/home/rger/proj/rsyslog/logfile.csv" template="csv") action(type="omfile" file="/home/rger/proj/rsyslog/logfile.cee" template="cee") }
  • 30. Rainer Gerhards, http://blog.gerhards.net Templates do the actual work template(name="csv" type="list") { property(name="$!usr!rcvdat" format="csv") constant(value=",") property(name="$!usr!rcvdfrom" format="csv") constant(value=",") property(name="$!usr!user" format="csv") constant(value=",") property(name="$!usr!type" format="csv") constant(value="n") } template(name="cee" type="string" string="@cee: %$!usr%n")
  • 31. Rainer Gerhards, http://blog.gerhards.net And this is a combined CEE output file: @cee: { "type": "logon", "rcvdfrom": "rger-virtual-machine", "rcvdat": "Jan 16 09:28:33", "user": "root" } @cee: { "type": "logoff", "rcvdfrom": "rger-virtual-machine", "rcvdat": "Jan 16 09:28:33", "user": "root" } @cee: { "type": "logon", "rcvdfrom": "Win2008StdR2x64_vm", "rcvdat": "Feb 05 16:39:27", "user": "WIN2008STDR2X64Administrator" } @cee: { "type": "logoff", "rcvdfrom": "WIN-VSBQP2NOITT", "rcvdat": "Jan 25 15:44:35", "user": "WIN-VSBQP2NOITTte" } @cee: { "type": "logoff", "rcvdfrom": "win7fr.intern.adiscon.com", "rcvdat": "Feb 5 11:15:56", "user": "ADISCONfr" } @cee: { "type": "logon", "rcvdfrom": "win7fr.intern.adiscon.com", "rcvdat": "Feb 5 13:41:28", "user": "NT AUTHORITYSYSTEM" }
  • 32. Rainer Gerhards, http://blog.gerhards.net And the same in CSV: "Jan 16 09:28:33","rger-virtual-machine","root","logon" "Jan 16 09:28:33","rger-virtual-machine","root","logoff" "Jan 24 02:38:49","rger-virtual-machine","rger","logon" "Feb 05 16:39:27","Win2008StdR2x64_vm","WIN2008STDR2X64Administrator","logon" "Jan 25 15:44:35","WIN-VSBQP2NOITT","WIN-VSBQP2NOITTte","logoff" "Feb 5 11:15:56","win7fr.intern.adiscon.com","ADISCONfr","logoff" "Feb 5 13:41:28","win7fr.intern.adiscon.com","NT AUTHORITYSYSTEM","logon"
  • 33. Rainer Gerhards, http://blog.gerhards.net Of course, this is just a small example, but • It shows how all the pieces can be put together • mmnormalize is a very important building block to integrate free-form text logs, no matter what the source is • The output format is highly flexible • Of course, structured outputs like MongoDB or Elasticsearch are also supported • We can emit almost all output formats, new ones requires relatively little work in rsyslog's engine
  • 34. Rainer Gerhards, http://blog.gerhards.net Bottom line • Rsyslog can act today as an universal log format translator • We hope that consumer tools will make use of the simple-to-process lumberjack format • HOWEVER, we can already convert into what today's real-world analysis tools can digest
  • 35. Rainer Gerhards, http://blog.gerhards.net Once again back to my inbox... • “I know this is asking a lot since rsyslog would have to do a bunch of processing. I also understand there may be a delay in log delivery due to the processing.” • Well … actually it's far from being as bad as described: ▫ Structured logs are ingested very quickly ▫ Liblognorm/mmnormalize is extremely fast in converting classical text logs ▫ Reformatting is done always in any case, so... ;-)
  • 36. Rainer Gerhards, http://blog.gerhards.net Long-Term Vision • There NEVER will be a single format ▫ Political reasons (vendors, projects, history, ...) ▫ Need for new features/functionality • BUT: use as few as possible ▫ Less hassle for producer and consumer devs ▫ Forces closed source vendors to support these standard, making it easier for the OSS guys ▫ Big win for Enterprise folks who get plug&play • We hope that Lumberjack will be dominant ▫ Stack already in place ▫ Good & simple solution ▫ Rsyslog converts everything running on Linux
  • 37. Rainer Gerhards, http://blog.gerhards.net Questions? • Please direct them to the rsyslog mailing list • Listinfo: http://lists.adiscon.net/mailman/listinfo/rsyslog