The blank() filter is a filter function with a descriptive name: it selects empty or undefined name-value pairs. While most of the functionalities that blank filter provides are available long time ago, using this new filter makes configurations easier to understand.
Before you begin
The blank() filter first appeared in syslog-ng version 4.10. If you use an earlier version, update to 4.10. You can find links to third party repositories for up-to-date syslog-ng packages at https://www.syslog-ng.com/products/open-source-log-management/3rd-party-binaries.aspx.
Configuring syslog-ng
Before the blank() filter, it was still possible to check if a name-value pair was not empty using a string comparison. While comparing a name-value pair to two empty quotation marks works, it makes reading configurations less straightforward.
The configuration snippet below should be appended to syslog-ng.conf or saved in the /etc/syslog-ng/conf.d/ directory if your syslog-ng configuration is set to use it. This configuration collects local log messages and parses the logs with a PatternDB parser with rules for SSHD log messages. It writes log messages into a JSON-formatted text file, but only if it has an SSHD-specific name-value pair. The blank() filter can detect if the given name-value pair is undefined. A log message is only written if the log message is not blank.
# sshd patterndb
parser p_patterndb {
db-parser(
file(
'/etc/syslog-ng/sshd.xml'
)
);
};
destination d_json {
file("/var/log/json" template("$(format-json --scope rfc5424 --scope dot-nv-pairs
--rekey .* --shift 1 --scope nv-pairs --exclude MESSAGE --exclude .journal*)\n\n"));
};
log {
source(src);
parser(p_patterndb);
if (not blank(usracct.username)) {
destination(d_json);
};
};
Notes:
-
The source name for local log messages might be different on your OS/Linux distribution. Check syslog-ng.conf for the actual name.
-
The PatternDB XML file is taken from https://github.com/balabit/syslog-ng-patterndb. These files are not maintained anymore but they still might be a good starting point when writing your own patterns.
-
The blank() filter was not there in the initial version of the configuration, so I was able to check if the file format is right and the name-value pairs created.
Testing
I chose SSHD logs as an example for this blog, as these are very easy to test. Almost all Linux/UNIX servers and workstations have SSH installed. So, testing is easy.
Once you reloaded the syslog-ng configuration, ssh to that host. After logging in and out, you should see similar log messages in /var/log/json, a login and a logout event:
{"usracct":{"username":"root","type":"login","sessionid":"3540","service":"ssh2","device":"172.16.167.1","authmethod":"keyboard-interactive/pam","application":"sshd"},"secevt":{"verdict":"ACCEPT"},"classifier":{"rule_id":"4dd5a329-da83-4876-a431-ddcb59c2858c","class":"system"},"TRANSPORT":"local+journal","SOURCE":"src","PROGRAM":"sshd","PRIORITY":"info","PID":"3540","HOST_FROM":"leap156","HOST":"leap156","FACILITY":"auth","DATE":"Oct 10 15:20:13"}
{"usracct":{"username":"root","type":"logout","sessionid":"3540","application":"sshd"},"classifier":{"rule_id":"9febec68-13ef-4ed2-97f3-689df4d49a8a","class":"system"},"TRANSPORT":"local+journal","SOURCE":"src","PROGRAM":"sshd","PRIORITY":"info","PID":"3540","HOST_FROM":"leap156","HOST":"leap156","FACILITY":"authpriv","DATE":"Oct 10 15:54:26"}
What is next?
Now that you have tested the new blank() filter with an easy-to-understand configuration, it is time to make your existing configurations easier to read.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.