ABOUT
Name:
Balázs Scheidler
Intrusion Prevention with syslog-ng
Wednesday, February 23, 2011 @ 03:02 PM Author: Balázs Scheidler
Valentijn has published (blog post, mailing list archive) a nice hack using syslog-ng to actively react to intrusion attempts with patterndb and iptables. The blocking part is implemented using iptables recent match that is capable of closing an opened port for certain amount of time. This is controlled by syslog-ng: whenever a login ...
1 Comment
syslog-ng’s development drivers
Sunday, February 6, 2011 @ 01:02 PM Author: Balázs Scheidler
I got some interesting comments in a forum posting, outlining a perception how syslog-ng's development is driven by BalaBit. The original post is here, but the interesting quote I'd like to react is this:
@all Some general points:
A main difference between rsyslog and syslog-ng is that syslog-ng is backed by a large commercial organisation ...
Article on message correllation
Tuesday, February 1, 2011 @ 06:02 PM Author: Balázs Scheidler
There's a good writeup on syslog-ng correllation functions on LWN. Since it is currently for subscriber's only, here's a link that you can use to see until it is published.http://lwn.net/SubscriberLink/424459/dc2ec3fee7d80d3b/LWN is a great publication by the way, so consider subscribing if you can.
syslog-ng releases
Sunday, January 16, 2011 @ 04:01 PM Author: Balázs Scheidler
I've made a round of syslog-ng releases in the last couple of weeks.syslog-ng 3.0.10 [changelog]
syslog-ng 3.1.4 [changelog]
syslog-ng 3.2.2 [changelog]From these 3.0.10 and 3.1.4 are quite similar, as they carry the almost the same set of bugfixes, which you can find in the respective changelogs. 3.2.2 is however different, it is a slightly ...
mongodb() driver for syslog-ng
Tuesday, January 11, 2011 @ 05:01 PM Author: Balázs Scheidler
Update: The driver has a homepage of its own at http://asylum.madhouse-project.org/projects/syslog-ng/mongodb/Though I had no chance to look at it yet, Algernon has posted a MongoDB destination driver for syslog-ng. I can't wait to have a closer look at it, hopefully I get a chance in the coming days, but until then be sure to ...
Threading + epoll on 3.3 mainline
Tuesday, December 21, 2010 @ 04:12 PM Author: Balázs Scheidler
I've achieved an important milestone on the current threading stuff and I'm happy to tell you that multi-processing and epoll related performance improvements work is progressing nicely. The current master branch of the syslog-ng-3.3 tree runs the testsuite (make check) and performs much better than earlier releases.The only performance data was measured on my laptop, ...
syslog-ng 3.2 in openSUSE
Wednesday, December 8, 2010 @ 09:12 PM Author: Balázs Scheidler
The adoption rate of syslog-ng 3.2 is marvellous. It was made available for Mandriva on the date of the release, and about a week later openSUSE Factory has a package, thanks to Marius Tomaschewsky. I also received a patch to include support for cygwin into the system() source, courtesy of Corinna Vinschen. FreeBSD ports still ...
patterndb goes CEE
Monday, November 29, 2010 @ 03:11 PM Author: Balázs Scheidler
A regular reader of this blog may already have heard about patterndb, a collection of syslog-ng db-parser() rules that will make syslog-ng the center of the universe :)OK, I was joking, patterndb is a collection of log samples which make it possible to do more to your logs than merely processing them: For example if ...
A Mandriva package of 3.2.1 is already available
Sunday, November 28, 2010 @ 08:11 PM Author: Balázs Scheidler
Thanks to Guillaume Rousse, an RPM package for Mandriva Linux is already available from syslog-ng 3.2.1.Let's see how the other distros will react :)
syslog-ng 3.2.1 released
Saturday, November 27, 2010 @ 09:11 AM Author: Balázs Scheidler
Hi,After 2 alpha and a beta release I've decided to declare that syslog-ng OSE 3.2 is now stable, and thus I've released 3.2.1, the first in the 3.2.x series. This version has the largest list of features even since the syslog-ng project was born, so make sure you check out all the goodies. :)The key ...
Collecting log samples
Friday, November 26, 2010 @ 04:11 PM Author: Balázs Scheidler
If you are a regular reader of this blog, you'll probably know that syslog-ng is now entering the log message processing scene with its db-parser functionality. In order to improve our pattern coverage, Peter has started a log sample collection initiative. Please help him with good quality samples so our login/logout coverage becomes significantly better.Here's ...
patterndb versioning
Tuesday, November 23, 2010 @ 09:11 AM Author: Balázs Scheidler
You probably know that during the 3.2 development series a lot of functionality has been added to db-parser() (aka patterndb). All of this functionality was upward compatible with the old XML file format, so at first I've decided not to change the patterndb version number, it remained at v3.However, after a talk with Robert, ...
Progress on multi-thread & epoll support
Sunday, November 7, 2010 @ 01:11 PM Author: Balázs Scheidler
Although I was not posting on this blog, I was working on syslog-ng multi-thread support in the last couple of weeks. Most of the preparation was done during the Netfilter Workshop (I know it wasn't netfilter related :) and I've since used up any possible occassions to work on the code instead of writing about ...
Netfilter Workshop 2010
Monday, October 18, 2010 @ 11:10 AM Author: Balázs Scheidler
Among others I'm somewhat involved into Linux Netfilter development because of our Zorp proxy based product. It is that time of the year again that Netfilter developers converge, this time to Seville, thanks to our generous host Pablo Neira. So I may not be that responsive this week, but I'll definitely check emails and possibly ...
syslog-ng OSE 3.2beta1 released
Sunday, October 17, 2010 @ 12:10 PM Author: Balázs Scheidler
Dear syslog-ng users,I'm happy to announce that an important milestone towards the new syslog-ng release has been reached.syslog-ng OSE 3.2beta1 has been uploaded to our website. It contains a lot of important new functionality compared to 3.2alpha2 and also some care has been taken to shake out release-critical bugs.As of know I don't know about ...
syslog-ng correllation updated
Monday, October 11, 2010 @ 03:10 PM Author: Balázs Scheidler
I'm trying to push syslog-ng 3.2beta1 out on the door, but as I was writing the NEWS entry I had to realize that the latest state of the patterndb correllation functions are undocumented so far. So here goes a blog post which tries to summarize how it works, so that I can include it in ...
Introducing Zorp
Wednesday, October 6, 2010 @ 01:10 PM Author: Balázs Scheidler
You may not know but in addition to my work on syslog-ng I fulfill a couple of roles in BalaBit. Among others I'm the product manager of Zorp Gateway an application layer firewall. The reason of my silence on this front basically was that there's a long ongoing project inside the company walls to ...
syslog-ng now supports the syslog.conf file format
Thursday, September 30, 2010 @ 12:09 PM Author: Balázs Scheidler
People complained that syslog-ng is not a drop-in syslogd replacement and you have to learn a new configuration file format. Although I really think that syslog-ng's way is superior to the old syslog.conf style, it is true that for someone not familiar with syslog-ng, the syntax of the configuration is something that needs to be ...
patternize is in the mainline
Wednesday, September 29, 2010 @ 01:09 PM Author: Balázs Scheidler
Just a quick post to let you know that I've integrated the gyp's patternize patches, so if you check out the latest greatest revision from git, patternize will be included.To those who doesn't know what patternize is about, it is an implementation of Risto Vaarandi's SLCT algorithm by my fellow collegue Péter Gyöngyösi.I've ...
Syslog-ng correllation
Wednesday, September 29, 2010 @ 09:09 AM Author: Balázs Scheidler
I think we've reached an important milestone with syslog-ng: log message correllation was added to db-parser(). As you probably know dbparser and its sister project patterndb is able to transform unstructured syslog messages into a normalized format: the human readable string content becomes a set of name-value pairs. The problem is ...