diff --git a/config/_default/config.toml b/config/_default/config.toml index 23576114..9cacd25c 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -173,6 +173,8 @@ description = "Documentation for AxoSyslog, the scalable security data processor name = "AxoSyslog" abbrev = "AxoSyslog" version = "4.18" +# techversion includes patch version number, needed for install/image commands +# configversion is needed in the config file examples techversion = "4.18.0" configversion = "4.18" syslog-ng = "syslog-ng" diff --git a/content/chapter-configuration-file/configuration-syntax/_index.md b/content/chapter-configuration-file/configuration-syntax/_index.md index 0adb5dfa..7e808e8d 100644 --- a/content/chapter-configuration-file/configuration-syntax/_index.md +++ b/content/chapter-configuration-file/configuration-syntax/_index.md @@ -7,7 +7,7 @@ weight: 300 Every `syslog-ng.conf` configuration file must begin with a line containing version information. For `syslog-ng` version {{% param "product.version" %}}, this line looks like: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} ``` - If the configuration file does not contain the version information, `syslog-ng` assumes that the file is for version 2.x. In this case it interprets the configuration and sends warnings about the parts of the configuration that should be updated. Version 3.0 and later can operate with configuration files of version 2.x, but the default values of certain parameters have changed since 3.0. @@ -18,7 +18,7 @@ Every `syslog-ng.conf` configuration file must begin with a line containing vers The following is a very simple configuration file for `syslog-ng`: it collects the internal messages of `syslog-ng` and the messages from `/dev/log` into the `/var/log/messages_syslog-ng.log` file. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_local { unix-dgram("/dev/log"); internal(); }; diff --git a/content/chapter-configuration-file/large-configs/config-blocks/_index.md b/content/chapter-configuration-file/large-configs/config-blocks/_index.md index f5efdb44..985b21e0 100644 --- a/content/chapter-configuration-file/large-configs/config-blocks/_index.md +++ b/content/chapter-configuration-file/large-configs/config-blocks/_index.md @@ -46,7 +46,7 @@ Suppose you are running an application on your hosts that logs into the `/opt/va Include this file in your main `syslog-ng.conf` configuration file, reference the block, and use it in a logpath: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "/myblocks.conf" source s_myappsource { myappsource(); }; ... diff --git a/content/chapter-configuration-file/large-configs/including-config-files/_index.md b/content/chapter-configuration-file/large-configs/including-config-files/_index.md index 16504fe9..d8718956 100644 --- a/content/chapter-configuration-file/large-configs/including-config-files/_index.md +++ b/content/chapter-configuration-file/large-configs/including-config-files/_index.md @@ -29,7 +29,7 @@ When including configuration files, consider the following points: - Include statements can only be used at top level of the configuration file. For example, the following is correct: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "example.conf" ``` diff --git a/content/chapter-destinations/azure-monitor/_index.md b/content/chapter-destinations/azure-monitor/_index.md index 90f00912..7becc9c5 100644 --- a/content/chapter-destinations/azure-monitor/_index.md +++ b/content/chapter-destinations/azure-monitor/_index.md @@ -4,6 +4,7 @@ linktitle: "azure-monitor: Azure Monitor and Sentinel" weight: 150 driver: "azure-monitor()" short_description: "Send messages to Azure Monitor and Sentinel" +type: http --- @@ -30,6 +31,9 @@ For details, see the [Tutorial: Send data to Azure Monitor Logs with Logs ingest The `azure-monitor()` driver sends data to the built-in tables of Azure Monitor. The body of the message (`${MESSAGE}`) must be in JSON format. The keys in the JSON array must have the same names as the columns of the table (you can use [`format-json`]({{< relref "/chapter-manipulating-messages/customizing-message-format/reference-template-functions/_index.md#template-function-format-json" >}}) or ['FilterX`]({{< relref "/filterx/_index.md" >}})). If a field is empty, or Azure cannot parse it, it will be blank. The following example sends data to the [syslog table](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/syslog). ```sh +@include "scl.conf" +# ... + destination d_azure { azure-monitor( stream-name("syslog") diff --git a/content/chapter-destinations/configuring-destinations-redis/_index.md b/content/chapter-destinations/configuring-destinations-redis/_index.md index 12a30bd4..0485e461 100644 --- a/content/chapter-destinations/configuring-destinations-redis/_index.md +++ b/content/chapter-destinations/configuring-destinations-redis/_index.md @@ -41,7 +41,7 @@ The following destination counts the number of log messages received per host. The following example creates a statistic from Apache webserver logs about the browsers that the visitors use (per minute) ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_apache { file("/var/log/apache2/access.log"); diff --git a/content/chapter-destinations/configuring-destinations-riemann/_index.md b/content/chapter-destinations/configuring-destinations-riemann/_index.md index d5f9234b..a20f5d90 100644 --- a/content/chapter-destinations/configuring-destinations-riemann/_index.md +++ b/content/chapter-destinations/configuring-destinations-riemann/_index.md @@ -28,7 +28,7 @@ For the list of available parameters, see {{% xref "/chapter-destinations/config The following destination sends the value of the SEQNUM macro (the number of messages sent to this destination) as a metric to the Riemann server. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_network { network(port(12345)); diff --git a/content/chapter-destinations/configuring-destinations-telegram/_index.md b/content/chapter-destinations/configuring-destinations-telegram/_index.md index f2f54682..0288b0ca 100644 --- a/content/chapter-destinations/configuring-destinations-telegram/_index.md +++ b/content/chapter-destinations/configuring-destinations-telegram/_index.md @@ -3,6 +3,7 @@ title: "telegram: Send messages to Telegram" weight: 7100 driver: "telegram()" short_description: "Send messages to Telegram" +type: http --- @@ -10,31 +11,33 @@ The `telegram()` destination sends log messages to [Telegram](https://core.teleg Note that this destination automatically uses the certificate store of the system (for details, see the [curl documentation](https://curl.se/docs/sslcerts.html)). - ## Declaration: ```shell - telegram(parameters); -``` +@include "scl.conf" +# ... +telegram(parameters); +``` {{% include-headless "chunk/destination-http-proxy-settings.md" %}} - ## Example: Using the telegram() driver {#example-destination-mongodb} The following example creates a `telegram()` destination. ```shell - destination d_telegram { - telegram( - template("${MESSAGE}") - throttle(1) - parse-mode("markdown") - disable-web-page-preview("true") - bot-id("") - chat-id("") - ); - }; +@include "scl.conf" +# ... + +destination d_telegram { + telegram( + template("${MESSAGE}") + throttle(1) + parse-mode("markdown") + disable-web-page-preview("true") + bot-id("") + chat-id("") + ); +}; ``` - diff --git a/content/chapter-destinations/crowdstrike-falcon/_index.md b/content/chapter-destinations/crowdstrike-falcon/_index.md index 9149e0f9..86726781 100644 --- a/content/chapter-destinations/crowdstrike-falcon/_index.md +++ b/content/chapter-destinations/crowdstrike-falcon/_index.md @@ -4,6 +4,7 @@ linktitle: "logscale: Send messages to Falcon LogScale" weight: 2950 driver: "logscale()" short_description: "Send messages to Falcon LogScale" +type: http --- @@ -20,6 +21,9 @@ The `logscale()` destination feeds LogScale via the [Ingest Structured Data API] Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_logscale { logscale( token("your-logscale-ingest-token") diff --git a/content/chapter-destinations/destination-discord/_index.md b/content/chapter-destinations/destination-discord/_index.md index c5a5c18a..5c3e8ce1 100644 --- a/content/chapter-destinations/destination-discord/_index.md +++ b/content/chapter-destinations/destination-discord/_index.md @@ -3,6 +3,7 @@ title: "discord: Send alerts and notifications to Discord" weight: 500 driver: "discord()" short_description: "Send alerts and notifications to Discord" +type: http --- @@ -10,13 +11,15 @@ The `discord()` destination driver sends messages to [Discord](https://discord.c Available in {{% param "product.abbrev" %}} version 3.33 and later. - ## Declaration: ```shell - destination { - discord(url("https://discord.com/api/webhooks/x/y")); - }; +@include "scl.conf" +# ... + +destination { + discord(url("https://discord.com/api/webhooks/x/y")); +}; ``` By default the message sending is throttled to 5 message/sec, see [Discord: Rate Limits](https://discord.com/developers/topics/rate-limits#global-rate-limit). To change this, use the `throttle()` option. @@ -24,33 +27,28 @@ By default the message sending is throttled to 5 message/sec, see [Discord: Rate To use this destination, the `scl.conf` file must be included in your {{% param "product.abbrev" %}} configuration: ```shell - @include "scl.conf" +@include "scl.conf" ``` The `discord()` driver is actually a reusable configuration snippet configured to send log messages using the `http()` driver. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub. - - ## Prerequisites To send messages to Discord, you must setup webhooks. For details, see: [Discord: Intro to Webhooks](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks). - - ## Example: Using the discord() driver {#example-destination-collectd} The following example sends messages with custom avatar, and text-to-speech enabled. ```shell - @include "scl.conf" - destination d_discord { - discord( - url("https://discord.com/api/webhooks/x/y") - avatar-url("https://example.domain/any_image.png") - username("$HOST-bot") # Custom bot name, accepts macros - tts(true) # Text-to-Speech message - template("${MSG:-[empty message]}") # Message to send, can't be empty - ); - รณ} +@include "scl.conf" +destination d_discord { + discord( + url("https://discord.com/api/webhooks/x/y") + avatar-url("https://example.domain/any_image.png") + username("$HOST-bot") # Custom bot name, accepts macros + tts(true) # Text-to-Speech message + template("${MSG:-[empty message]}") # Message to send, can't be empty + ); +} ``` - diff --git a/content/chapter-destinations/destination-opensearch/_index.md b/content/chapter-destinations/destination-opensearch/_index.md index c9ee4580..c44afd52 100644 --- a/content/chapter-destinations/destination-opensearch/_index.md +++ b/content/chapter-destinations/destination-opensearch/_index.md @@ -3,6 +3,7 @@ title: "opensearch: Send messages to OpenSearch" weight: 3650 driver: "opensearch()" short_description: "Send messages to OpenSearch" +type: http --- @@ -12,16 +13,18 @@ The `opensearch()` destination can directly post log messages to [OpenSearch](ht HTTPS connection, as well as password- and certificate-based authentication is supported. The content of the events is sent in JSON format. - ## Declaration: ```shell - d_opensearch { - opensearch( - index("") - url("https://your-opensearch-endpoint:9200/_bulk") - ); - }; +@include "scl.conf" +# ... + +d_opensearch { + opensearch( + index("") + url("https://your-opensearch-endpoint:9200/_bulk") + ); +}; ``` ## Example: Sending log data to OpenSearch {#example-destination-opensearch} @@ -29,40 +32,46 @@ HTTPS connection, as well as password- and certificate-based authentication is s The following example defines an `opensearch()` destination, with only the required options. ```shell - destination opensearch { - opensearch( - index("") - url("http://my-elastic-server:9200/_bulk") - ); - }; - - - log { - source(s_file); - destination(d_opensearch_http); - flags(flow-control); - }; +@include "scl.conf" +# ... + +destination opensearch { + opensearch( + index("") + url("http://my-elastic-server:9200/_bulk") + ); +}; + + +log { + source(s_file); + destination(d_opensearch_http); + flags(flow-control); +}; ``` The following example uses mutually-authenticated HTTPS connection, templated index, and also sets some other options. ```shell - destination opensearch_https { - opensearch( - url("https://node01.example.com:9200/_bulk") - index("test-${YEAR}${MONTH}${DAY}") - time-zone("UTC") - workers(4) - batch-lines(16) - timeout(10) - tls( - ca-file("ca.pem") - cert-file("syslog_ng.crt.pem") - key-file("syslog_ng.key.pem") - peer-verify(yes) - ) - ); - }; +@include "scl.conf" +# ... + +destination opensearch_https { + opensearch( + url("https://node01.example.com:9200/_bulk") + index("test-${YEAR}${MONTH}${DAY}") + time-zone("UTC") + workers(4) + batch-lines(16) + timeout(10) + tls( + ca-file("ca.pem") + cert-file("syslog_ng.crt.pem") + key-file("syslog_ng.key.pem") + peer-verify(yes) + ) + ); +}; ``` This driver is actually a reusable configuration snippet configured to send log messages using the `http()` driver using a template. For details on using or writing such configuration snippets, see {{% xref "/chapter-configuration-file/large-configs/config-blocks/_index.md" %}}. You can find the source of this configuration snippet on [GitHub](https://github.com/axoflow/axosyslog/tree/master/scl/opensearch). diff --git a/content/chapter-destinations/destination-slack/_index.md b/content/chapter-destinations/destination-slack/_index.md index 44a45651..1e8b2f63 100644 --- a/content/chapter-destinations/destination-slack/_index.md +++ b/content/chapter-destinations/destination-slack/_index.md @@ -3,30 +3,31 @@ title: "slack: Send alerts and notifications to a Slack channel" weight: 5100 driver: "slack()" short_description: "Send alerts and notifications to a Slack channel" +type: http --- The `slack()` destination driver sends messages to a [Slack](https://slack.com/) channel using the Slack Web API. For the list of available optional parameters, see {{% xref "/chapter-destinations/destination-slack/reference-destination-slack/_index.md" %}}. This destination is available in version 3.19 and later. - ## Declaration: ```shell - destination d_slack { - slack( - hook-url("https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX") - ); - }; +@include "scl.conf" +# ... + +destination d_slack { + slack( + hook-url("https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX") + ); +}; ``` - The driver allows you to modify nearly every field of the HTTP request. For details, see the [Slack API documentation](https://api.slack.com/docs). {{% include-headless "chunk/destination-http-proxy-settings.md" %}} {{% include-headless "chunk/option-description-destination-slack-throttle.md" %}} - To use this destination, the `scl.conf` file must be included in your {{% param "product.abbrev" %}} configuration: ```shell @@ -35,30 +36,25 @@ To use this destination, the `scl.conf` file must be included in your {{% param The `slack()` driver is actually a reusable configuration snippet configured to send log messages using the `http()` driver. For details on using or writing such configuration snippets, see {{% xref "/chapter-configuration-file/large-configs/config-blocks/_index.md" %}}. You can find the source of this configuration snippet on [GitHub](https://github.com/axoflow/axosyslog/blob/master/scl/slack/slack.conf). - - ## Prerequisites {#slack-destination-prerequisites} To send messages and notifications from {{% param "product.abbrev" %}} to Slack, you must create a Slack app and a Webhook that {{% param "product.abbrev" %}} can use. For details, see the [Slack documentation](https://api.slack.com/incoming-webhooks). - - ## Example: Using the slack() driver {#example-destination-slack} The following example sets the colors and the author of the message. ```shell - @include "scl.conf" - - destination d_slack1 { - slack( - hook-url("https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX") - colors("#000000,#222222,#444444,#666666,#888888,#AAAAAA,#CCCCCC,#EEEEEE") - color-chooser(7) - author-name("Example BOT") - author-link("https://www.syslog-ng.com/products/open-source-log-management") - author-icon("https://raw.githubusercontent.com/MrAnno/vscode-syslog-ng/master/images/syslog-ng-icon.png") - ); - }; +@include "scl.conf" + +destination d_slack1 { + slack( + hook-url("https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX") + colors("#000000,#222222,#444444,#666666,#888888,#AAAAAA,#CCCCCC,#EEEEEE") + color-chooser(7) + author-name("Example BOT") + author-link("https://www.syslog-ng.com/products/open-source-log-management") + author-icon("https://raw.githubusercontent.com/MrAnno/vscode-syslog-ng/master/images/syslog-ng-icon.png") + ); +}; ``` - diff --git a/content/chapter-destinations/destination-sumologic-intro/_index.md b/content/chapter-destinations/destination-sumologic-intro/_index.md index dc520f3f..0aa44fe5 100644 --- a/content/chapter-destinations/destination-sumologic-intro/_index.md +++ b/content/chapter-destinations/destination-sumologic-intro/_index.md @@ -3,116 +3,113 @@ title: "Sumo Logic destinations: sumologic-http() and sumologic-syslog()" weight: 6300 driver: "sumologic-http(), sumologic-syslog()" short_description: "Send messages to Sumo Logic" +type: +- http +- syslog --- From version 3.27.1, the {{% param "product.name" %}} application can send log messages to [Sumo Logic](https://www.sumologic.com/), a cloud-based log management and security analytics service, by using the `sumologic-http()` and `sumologic-syslog()` destinations. - ## Prerequisites Currently, using the `sumologic-http()` and `sumologic-syslog()` destinations with {{% param "product.abbrev" %}} has the following prerequisites: - A Sumo Logic account. - + If you do not yet have a Sumo Logic account, visit [the official Sumo Logic website](https://www.sumologic.com/), and click `Start free trial` to create an account. - + {{% alert title="Note" color="info" %}} A free trial version of the Sumo Logic account has limited functionalities and is only available for 90 days. {{% /alert %}} - A [Cloud Syslog Source](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source) configured with your Sumo Logic account. - + For details, follow the configuration instructions under [the Configure a Cloud Syslog Source section](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#configure-a-cloud%C2%A0syslog%C2%A0source) on the official Sumo Logic website. - + {{% alert title="Note" color="info" %}} Transport-level security (TLS) 1.2 over TCP is required. {{% /alert %}} - A Cloud Syslog Source Token (from the Cloud Syslog Source side). - - TLS set up on your Sumo Logic account. - + For detailed information about setting up TLS in your Sumo Logic account, see [the description for setting up TLS on the Sumo Logic official website](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#set%C2%A0up-tls). - + {{% alert title="Note" color="info" %}} After you download the `DigiCert` certificate, make sure you follow the certificate setup steps under [the syslog-ng section](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#syslog-ng-1). {{% /alert %}} - Your Sumo Logic syslog client, configured to send data to the Sumo Logic cloud syslog service, by using {{% param "product.abbrev" %}}. - + For detailed information, follow the instructions under [the Send data to cloud syslog source with syslog-ng section](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#send-data-to%C2%A0cloud-syslog-source-with-syslog-ng) on the official Sumo Logic website. - A verified connection and client configuration with the Sumo Logic service. - + {{% alert title="Warning" color="warning" %}} To avoid potential data loss, we strongly recommend that you verify your [connection](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#verify-connection-with-sumo-service) and [client configuration](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#verify-client-configuration) with the Sumo Logic service before you start using the `sumologic-http()` or `sumologic-syslog()` destination with {{% param "product.abbrev" %}} in a production environment. {{% /alert %}} - (Optional) For using the `sumologic-http()` destination, you need a [HTTP Hosted Collector](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/HTTP-Source) configured in the Sumo Logic service. - + To configure a Hosted Collector, follow the configuration instructions under [the Configure a Hosted Collector section](https://help.sumologic.com/03Send-Data/Hosted-Collectors/Configure-a-Hosted-Collector) on the official Sumo Logic website. - (Optional) For using the `sumologic-http()` destination, you need the unique HTTP collector code you receive while configuring your Host Collector for HTTP requests. - - ## Limitations Currently, using the `sumologic-syslog()` and `sumologic-http()` destinations with {{% param "product.abbrev" %}} has the following limitations: - The minimum required version of {{% param "product.abbrev" %}} is version 3.27.1. - - Message format must be in [RFC 5424-compliant form](https://tools.ietf.org/html/rfc5424#page-8). Messages over 64KB in length are truncated. - + For more information about the message format limitations, see [the Message format section](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source#message-format) on the official Sumo Logic website. - 64 characters long Sumo Logic tokens must be passed in the message body. - + {{% alert title="Note" color="info" %}} Although [RFC 5424](https://tools.ietf.org/html/rfc5424) limits the structured data field ([SD-ID](https://tools.ietf.org/html/rfc5424#page-15)) to 32 characters, Sumo Logic tokens are 64 characters long. If your logging client enforces the 32 characters length limit, you must pass the token in the message body. {{% /alert %}} - - ## Declaration for the sumologic-http() destination ```shell - destination d_sumo_http { - sumologic-http( - collector("ZaVnC4dhaV3_[...]UF2D8DRSnHiGKoq9Onvz-XT7RJG2FA6RuyE5z4A==") - deployment("eu") - ); - }; +@include "scl.conf" +# ... + +destination d_sumo_http { + sumologic-http( + collector("ZaVnC4dhaV3_[...]UF2D8DRSnHiGKoq9Onvz-XT7RJG2FA6RuyE5z4A==") + deployment("eu") + ); +}; ``` - ## Declaration for the sumologic-syslog() destination ```shell - destination d_sumo_syslog { - sumologic-syslog( - token("rqf/bdxYVaBLFMoU39[...]CCC5jwETm@41123") - deployment("eu") - tls(peer-verify(yes) ca-dir('/etc/syslog-ng/ca.d')) - ); - }; +@include "scl.conf" +# ... + +destination d_sumo_syslog { + sumologic-syslog( + token("rqf/bdxYVaBLFMoU39[...]CCC5jwETm@41123") + deployment("eu") + tls(peer-verify(yes) ca-dir('/etc/syslog-ng/ca.d')) + ); +}; ``` - - ## Using the sumologic() driver To use the `sumologic()` driver, the `scl.conf` file must be included in your {{% param "product.abbrev" %}} configuration: ```shell - @include "scl.conf" +@include "scl.conf" ``` - {{% alert title="Note" color="info" %}} The `sumologic()` driver is actually a reusable configuration snippet configured to send log messages using the `network()` and `http()` destination by using a template. For details on using or writing such configuration snippets, see {{% xref "/chapter-configuration-file/large-configs/config-blocks/_index.md" %}}. You can find the source of this configuration snippet on [GitHub](https://github.com/axoflow/axosyslog/blob/master/scl/sumologic/sumologic.conf). {{% /alert %}} - diff --git a/content/chapter-destinations/elasticsearch-data-stream/_index.md b/content/chapter-destinations/elasticsearch-data-stream/_index.md index dee1fa47..e17a6ca6 100644 --- a/content/chapter-destinations/elasticsearch-data-stream/_index.md +++ b/content/chapter-destinations/elasticsearch-data-stream/_index.md @@ -4,6 +4,7 @@ linktitle: "elasticsearch-datastream: Send messages to Elasticsearch data stream weight: 850 driver: "elasticsearch-datastream()" short_description: "Send messages to Elasticsearch data streams" +type: http --- @@ -12,6 +13,9 @@ Starting with version 4.8.0, {{% param "product_name" %}} can send messages and Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_elastic_data_stream { elasticsearch-datastream( url("https://elastic-endpoint:9200/my-data-stream/_bulk") @@ -23,7 +27,6 @@ destination d_elastic_data_stream { This driver is actually a reusable configuration snippet configured to send log messages using the `http()` driver using a template. You can find the source of this configuration snippet on [GitHub](https://github.com/axoflow/axosyslog/blob/master/scl/elasticsearch/elastic-datastream.conf). - ## Prerequisites Username and password for an account that can send data to Elasticsearch data streams. diff --git a/content/chapter-destinations/google-pubsub/_index.md b/content/chapter-destinations/google-pubsub/_index.md index 1c84ce66..7f7b5508 100644 --- a/content/chapter-destinations/google-pubsub/_index.md +++ b/content/chapter-destinations/google-pubsub/_index.md @@ -4,6 +4,7 @@ linktitle: "google-pubsub: Google Pub/Sub HTTP" weight: 1250 driver: "google-pubsub()" short_description: "Send messages to Google Pub/Sub via HTTP" +type: http --- @@ -20,6 +21,9 @@ To configure {{% param "product_name" %}}, you'll need the name of the project a Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_pubsub { google-pubsub( project("syslog-ng-project") diff --git a/content/chapter-destinations/openobserve/_index.md b/content/chapter-destinations/openobserve/_index.md index 982e6417..dffbfd6d 100644 --- a/content/chapter-destinations/openobserve/_index.md +++ b/content/chapter-destinations/openobserve/_index.md @@ -4,6 +4,7 @@ linktitle: "openobserve-log: Send messages to OpenObserve" weight: 3620 driver: "openobserve-log()" short_description: "Send messages to OpenObserve" +type: http --- {{< include-headless "banner-new-to-axosyslog.md" >}} @@ -19,6 +20,9 @@ Starting with version 4.5.0, {{% param "product_name" %}} can send messages to [ Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_openobserve { openobserve-log( url("http://your-openobserve-endpoint") @@ -33,6 +37,9 @@ destination d_openobserve { Example configuration: ```sh +@include "scl.conf" +# ... + destination d_openobserve { openobserve-log( url("https://api.openobserve.ai") diff --git a/content/chapter-destinations/syslog-ng-with-splunk/_index.md b/content/chapter-destinations/syslog-ng-with-splunk/_index.md index 4a2c516c..1adfe999 100644 --- a/content/chapter-destinations/syslog-ng-with-splunk/_index.md +++ b/content/chapter-destinations/syslog-ng-with-splunk/_index.md @@ -4,6 +4,7 @@ linktitle: Splunk HEC weight: 5700 driver: "splunk-hec-event()" short_description: "Send messages to Splunk HEC" +type: http --- Starting with version 4.2.0, {{% param "product_name" %}} can send messages to the Splunk HTTP Event Collector (HEC). @@ -22,6 +23,9 @@ The `splunk-hec-event()` destination feeds Splunk via the [HEC events API](https Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_splunk_hec_event { splunk-hec-event( url("https://localhost:8088") @@ -66,6 +70,9 @@ The `splunk-hec-raw()` destination feeds Splunk via the [HEC raw API](https://do Minimal configuration: ```sh +@include "scl.conf" +# ... + destination d_splunk_hec_raw { splunk-hec-raw( url("https://localhost:8088") diff --git a/content/chapter-enrich-data/data-enrichment-add-contextual-data/add-contextual-data-filters/_index.md b/content/chapter-enrich-data/data-enrichment-add-contextual-data/add-contextual-data-filters/_index.md index 799a121f..b6312b2f 100644 --- a/content/chapter-enrich-data/data-enrichment-add-contextual-data/add-contextual-data-filters/_index.md +++ b/content/chapter-enrich-data/data-enrichment-add-contextual-data/add-contextual-data-filters/_index.md @@ -29,7 +29,7 @@ You can also add data to messages that do not have a matching selector entry in You must store the filters you reference in a database in a separate file. This file is similar to a {{% param "product.abbrev" %}} configuration file, but must contain only a version string and filters (and optionally comments). You can use the `syslog-ng --syntax-only command to ensure that the file is valid. For example, the content of such a file can be: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} filter f_localhost { host("mymachine.example.com") }; filter f_auth { facility(4) }; filter f_kern { facility(0) }; diff --git a/content/chapter-manipulating-messages/customizing-message-format/reference-template-functions/_index.md b/content/chapter-manipulating-messages/customizing-message-format/reference-template-functions/_index.md index 46a55544..554820c8 100644 --- a/content/chapter-manipulating-messages/customizing-message-format/reference-template-functions/_index.md +++ b/content/chapter-manipulating-messages/customizing-message-format/reference-template-functions/_index.md @@ -1055,7 +1055,7 @@ The following points apply to Python parsers. The following example creates a Python template function called `return_message` that returns the MESSAGE part of the log message. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} python { def return_message(log_message): @@ -1070,7 +1070,7 @@ The following example creates a Python template function called `return_message` The following example creates a Python template function called `resolve_host` that receives an IP address as an argument, and attempts to resolve it into a hostname. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} python { import socket diff --git a/content/chapter-parsers/cisco-parser/_index.md b/content/chapter-parsers/cisco-parser/_index.md index 37d87afc..ccfb2c02 100644 --- a/content/chapter-parsers/cisco-parser/_index.md +++ b/content/chapter-parsers/cisco-parser/_index.md @@ -37,7 +37,7 @@ By default, the Cisco-specific fields are extracted into the following name-valu ## Declaration: ```shell -@version: {{% param "product.techversion" %}} +@version: {{% param "product.configversion" %}} @include "scl.conf" log { source { network( diff --git a/content/chapter-parsers/parser-checkpoint/_index.md b/content/chapter-parsers/parser-checkpoint/_index.md index 29c56307..135a5b7d 100644 --- a/content/chapter-parsers/parser-checkpoint/_index.md +++ b/content/chapter-parsers/parser-checkpoint/_index.md @@ -30,7 +30,7 @@ By default, the Check Point-specific fields are extracted into name-value pairs ## Declaration: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" log { source { network(flags(no-parse)); }; diff --git a/content/chapter-parsers/parser-fortigate/_index.md b/content/chapter-parsers/parser-fortigate/_index.md index 0337a9a8..e8b90b93 100644 --- a/content/chapter-parsers/parser-fortigate/_index.md +++ b/content/chapter-parsers/parser-fortigate/_index.md @@ -24,7 +24,7 @@ By default, the Fortigate-specific fields are extracted into name-value pairs pr ## Declaration: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" log { source { network(transport("udp") flags(no-parse)); }; diff --git a/content/chapter-parsers/parser-netskope/_index.md b/content/chapter-parsers/parser-netskope/_index.md index 118fa2b4..13d311e1 100644 --- a/content/chapter-parsers/parser-netskope/_index.md +++ b/content/chapter-parsers/parser-netskope/_index.md @@ -26,7 +26,7 @@ By default, the Netskope-specific fields are extracted into name-value pairs pre ## Declaration: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" log { source { network(flags(no-parse)); }; diff --git a/content/chapter-parsers/parser-websense/_index.md b/content/chapter-parsers/parser-websense/_index.md index 5da31f9d..80db460a 100644 --- a/content/chapter-parsers/parser-websense/_index.md +++ b/content/chapter-parsers/parser-websense/_index.md @@ -26,7 +26,7 @@ By default, the websense-specific fields are extracted into name-value pairs pre ## Declaration: ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" log { source { network(flags(no-parse)); }; diff --git a/content/chapter-parsers/python-parser/_index.md b/content/chapter-parsers/python-parser/_index.md index 5cb1ccf2..bfe67b52 100644 --- a/content/chapter-parsers/python-parser/_index.md +++ b/content/chapter-parsers/python-parser/_index.md @@ -90,7 +90,7 @@ The following sample code parses the messages of the `loggen` tool (for details, The {{% param "product.abbrev" %}} parser object references the LoggenParser class and passes a set of regular expressions to parse the loggen messages. The `init()` method of the LoggenParser class compiles these expressions into a pattern. The `parse` method uses these patterns to extract the fields of the message into name-value pairs. The destination template of the {{% param "product.abbrev" %}} log statement uses the extracted fields to format the output message. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" parser my_python_parser{ python( @@ -134,7 +134,7 @@ The {{% param "product.abbrev" %}} parser object references the LoggenParser cla The following example uses regular expressions to process Windows log messages received in XML format. The parser extracts different fields from messages received from the Security and the Application eventlog containers. Using the following configuration file, {{% param "product.abbrev" %}} could process about 25000 real-life Windows log messages per second. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} options { keep-hostname(yes); keep-timestamp(no); diff --git a/content/chapter-routing-filters/concepts-diskbuffer/get-information-about-disk-buffer-files/diskb-proc-sep-sysl-inst/_index.md b/content/chapter-routing-filters/concepts-diskbuffer/get-information-about-disk-buffer-files/diskb-proc-sep-sysl-inst/_index.md index e29a943a..e342e716 100644 --- a/content/chapter-routing-filters/concepts-diskbuffer/get-information-about-disk-buffer-files/diskb-proc-sep-sysl-inst/_index.md +++ b/content/chapter-routing-filters/concepts-diskbuffer/get-information-about-disk-buffer-files/diskb-proc-sep-sysl-inst/_index.md @@ -47,7 +47,7 @@ Make sure that there is sufficient disk space in the directory. The minimum reco 1. Create the configuration file `/tmp/qdisk/qdisk.conf` for the temporary instance with the following content. ```shell - @version:{{% param "product.techversion" %}} + @version:{{% param "product.configversion" %}} @include "scl.conf" options { diff --git a/content/chapter-sources/configuring-sources-journal/_index.md b/content/chapter-sources/configuring-sources-journal/_index.md index 80e55377..df3b7745 100644 --- a/content/chapter-sources/configuring-sources-journal/_index.md +++ b/content/chapter-sources/configuring-sources-journal/_index.md @@ -41,7 +41,7 @@ If you want to use multiple `systemd-journal()` sources in your configuration, t To send all fields through the syslog protocol, enter the prefix in the following format: "`.SDATA.`". ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_journald { systemd-journal(prefix(".SDATA.journald.")); @@ -60,7 +60,7 @@ To send all fields through the syslog protocol, enter the prefix in the followin ## Example: Filter for a specific field {#example-source-journal-filtering} ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_journald { systemd-journal(prefix(".SDATA.journald.")); @@ -82,7 +82,7 @@ To send all fields through the syslog protocol, enter the prefix in the followin ## Example: Send all fields in value-pairs {#example-source-journal-valuepairs} ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_local { systemd-journal(prefix("journald.")); diff --git a/content/chapter-sources/configuring-sources-stdin/_index.md b/content/chapter-sources/configuring-sources-stdin/_index.md index 8d21a3ec..32b29420 100644 --- a/content/chapter-sources/configuring-sources-stdin/_index.md +++ b/content/chapter-sources/configuring-sources-stdin/_index.md @@ -22,7 +22,7 @@ The `stdin()` driver causes AxoSyslog to exit once it hits end-of-file (EOF). ## Example: Using the stdin() driver ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} log { source { stdin(); }; destination { file("/dev/stdout"); }; diff --git a/content/chapter-sources/configuring-sources-systemd-syslog/_index.md b/content/chapter-sources/configuring-sources-systemd-syslog/_index.md index 96c99175..0c5a7f32 100644 --- a/content/chapter-sources/configuring-sources-systemd-syslog/_index.md +++ b/content/chapter-sources/configuring-sources-systemd-syslog/_index.md @@ -26,7 +26,7 @@ On platforms running systemd, the `systemd-syslog()` driver reads the log messag ## Example: Using the systemd-syslog() driver ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} source s_systemdd { systemd-syslog(); diff --git a/content/chapter-sources/source-pacct/_index.md b/content/chapter-sources/source-pacct/_index.md index 28262754..573d3819 100644 --- a/content/chapter-sources/source-pacct/_index.md +++ b/content/chapter-sources/source-pacct/_index.md @@ -28,7 +28,7 @@ The `pacct()` driver parses the fields of the accounting logs and transforms the To use the `pacct()` driver, use the following syntax. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" source s_pacct { pacct(); }; ... diff --git a/content/quickstart/configure-clients/_index.md b/content/quickstart/configure-clients/_index.md index a492a1f5..d690dc66 100644 --- a/content/quickstart/configure-clients/_index.md +++ b/content/quickstart/configure-clients/_index.md @@ -95,10 +95,10 @@ The default configuration of {{% param "product.abbrev" %}} has only one log sta ## Example: The default configuration file of {{% param "product.abbrev" %}} {#example-defaultconfig} -The following is the default configuration file of {{% param "product.abbrev" %}}{{% param "product.techversion" %}}. It collects local log messages and the log messages of {{% param "product.abbrev" %}} and saves them in the `/var/log/messages` file. +The following is the default configuration file of {{% param "product.abbrev" %}}. It collects local log messages and the log messages of {{% param "product.abbrev" %}} and saves them in the `/var/log/messages` file. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" source s_local { system(); internal(); @@ -116,7 +116,7 @@ The following is the default configuration file of {{% param "product.abbrev" %} The following is a simple configuration file that collects local log messages and forwards them to a logserver using the IETF-syslog protocol. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" source s_local { system(); internal(); diff --git a/content/quickstart/configure-servers/_index.md b/content/quickstart/configure-servers/_index.md index 00ec9d5c..74d4eb99 100644 --- a/content/quickstart/configure-servers/_index.md +++ b/content/quickstart/configure-servers/_index.md @@ -79,7 +79,7 @@ Starting with {{% param "product.abbrev" %}} version 3.2, the `syslog()` source The following is a simple configuration file for {{% param "product.name" %}} that collects incoming log messages and stores them in a text file. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" options { time-reap(30); diff --git a/content/quickstart/relaying-log-messages/procedure-configuring-syslog-ng-relays/_index.md b/content/quickstart/relaying-log-messages/procedure-configuring-syslog-ng-relays/_index.md index db8e6722..ec6fa1a5 100644 --- a/content/quickstart/relaying-log-messages/procedure-configuring-syslog-ng-relays/_index.md +++ b/content/quickstart/relaying-log-messages/procedure-configuring-syslog-ng-relays/_index.md @@ -37,7 +37,7 @@ It is recommended to use these options on your {{% param "product.abbrev" %}} se The following is a simple configuration file that collects local and incoming log messages and forwards them to a logserver using the IETF-syslog protocol. ```shell - @version: {{% param "product.techversion" %}} + @version: {{% param "product.configversion" %}} @include "scl.conf" options { time-reap(30);