[rsyslog-notify] Forum Thread: Re: BlueCoat SG and Rsyslog - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Thu Dec 31 21:33:49 CET 2015 

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26265#p26265

Message: 
----------
I started ignoring Gartner's "Magic Quadraint" stuff a decade or more ago.
It makes for good marketing to upper management, but has very little
correlation with what's actually usable. They also complely ignore all
OpenSource software.

For what it's worth, I'm also surprised that BlueCoat doesn't support
delivering it's logs to syslog, it's the protocol that any log processing
tool is going to support. 'The buzzword in this type of thing is SIEM
systems, they all work by looking at logs, and they all support receiving
logs via syslog (syslog is the lowest common denominator, just about
everything supports it). You do see some people reinventing the wheel and
creating new logging protocols where they layer JSON (or a variety of other
serialization formats) on top of HTTP or create a new protocol in other
ways, but unless you are a Facebook or Google, you are going to have a lot
of equipment and software that doesn't talk your new fancy protocol and end
up having to support syslog in some way (or miss out on critical
information about what's happening on your network)

That said, looking at the log file, it looks like a fairly standard space
separated log file with quoted strings, and rsyslog can easily handle files
like this, but if you just send them over the wire to any system that is
expecting formatted messages, you are going to have problems (this includes
splunk, they do expect that the data received on their syslog interface
meet the syslog spec, at lease in the big things like the start of the
message and newlines at the end of the message)

If you just want something to listen on the network and write to a file, us
netcat (nc). If you want something that can do more intelligent things with
log messages, then rsyslog is a great option, but you do need to comply
with one of the many different standards that rsyslog supports.

is there a config option to change the log format? if not, you are not
going to be able to just redirect this log feed to the network and have
things work. you will have to write to a file and have something scrape the
file to then deliver it over the network. In rsyslog, this is the imfile
module. You can also use the mmnormalize module to parse the log lines if
you want.

More information about the rsyslog-notify mailing list