Let's Talk
Let's Talk

Error when using to_syslog_ietf() function in config for Ubuntu 18.04

Tags:
#1 abajosh

The following config file works in Ubuntu 14.04, but throws an error when used on an 18.04 server. Am I using the to_syslog_ietf() function incorrectly?

########################################
# Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

##### Logging #####

<Input messages>
Module  im_file
File    "/var/log/syslog"
</Input>

<Input audit>
Module  im_file
File    "/var/log/audit/audit.log"
#    Exec	$Message = $Hostname + ' ' + $raw_event;
</Input>

<Input auth>
Module  im_file
File    "/var/log/auth.log"
</Input>

<Input eve>
Module  im_file
File    "/var/log/suricata/eve.json"
</Input>

<Output tcp>
Module  om_tcp
Host    10.10.10.33
Port    514
</Output>

<Output tcp_audit>
Module  om_tcp
Host    10.10.10.33
Port    514
Exec to_syslog_ietf();
</Output>

<Output tcp_eve>
Module  om_tcp
Host    10.10.10.33
Port    10002
</Output>

<Route messages_to_tcp>
Path    messages, auth => tcp
</Route>

<Route messages_to_tcp_audit>
Path    audit => tcp_audit
</Route>

<Route eve_to_tcp>
Path    eve => tcp_eve
</Route>
Permalink
#2 jeffron Nxlog ✓
#1 abajosh
The following config file works in Ubuntu 14.04, but throws an error when used on an 18.04 server. Am I using the to_syslog_ietf() function incorrectly? ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ##### Logging ##### <Input messages> Module im_file File "/var/log/syslog" </Input> <Input audit> Module im_file File "/var/log/audit/audit.log" # Exec $Message = $Hostname + ' ' + $raw_event; </Input> <Input auth> Module im_file File "/var/log/auth.log" </Input> <Input eve> Module im_file File "/var/log/suricata/eve.json" </Input> <Output tcp> Module om_tcp Host 10.10.10.33 Port 514 </Output> <Output tcp_audit> Module om_tcp Host 10.10.10.33 Port 514 Exec to_syslog_ietf(); </Output> <Output tcp_eve> Module om_tcp Host 10.10.10.33 Port 10002 </Output> <Route messages_to_tcp> Path messages, auth => tcp </Route> <Route messages_to_tcp_audit> Path audit => tcp_audit </Route> <Route eve_to_tcp> Path eve => tcp_eve </Route>

Hi Josh,

You are experiencing an error because you did not import the Syslog extension.

<Extension _syslog>
    Module  xm_syslog
</Extension>

I hope this helps

Br

Jeffron
Login to see more