Copyright © 2010 BalaBit IT Security Ltd.
This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. The latest version is always available at http://www.balabit.com/support/documentation.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.
The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.
Linux™ is a registered trademark of Linus Torvalds.
Debian™ is a registered trademark of Software in the Public Interest Inc.
Windows™ XP, 2003 Server, Vista, and 2008 Server are registered trademarks of Microsoft Corporation.
MySQL™ is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.
Red Hat™, Inc., Red Hat™ Enterprise Linux™ and Red Hat™ Linux™ are trademarks of Red Hat, Inc.
SUSE™ is a trademark of SUSE AG, a Novell business.
Solaris™ is a registered trademark of Sun Microsystems, Inc.
AIX™, AIX 5L™, AS/400™, BladeCenter™, eServer™, IBM™, the IBM™ logo, IBM System i™, IBM System i5™, IBM System x™, iSeries™, i5/OS™, Netfinity™, NetServer™, OpenPower™, OS/400™, PartnerWorld™, POWER™, ServerGuide™, ServerProven™, and xSeries™ are trademarks or registered trademarks of International Business Machines.
Alliance Log Agent for System i™ is a registered trademark of Patrick Townsend & Associates, Inc.
All other product names mentioned herein are the trademarks of their respective owners.
Some rights reserved.
DISCLAIMER
BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
March 26, 2010
This manual is the primary documentation of the syslog-ng Agent for IBM System i application.
Table of Contents
- Preface
- 1. Introduction to syslog-ng Agent for IBM System i
- 1.1. The Syslog data standard
- 1.2. The Common Event Format standard
- 1.3. System i security audit journal QAUDJRN
- 1.4. System i QHST history log
- 1.5. System i operator messages
- 1.6. User auditing
- 1.7. User-generated logs
- 1.8. Filtering log entries
- 1.9. Apache, Websphere, OpenSSH, PHP, Perl, and MySQL server logs
- 1.10. Syslog-ng server for System i
- 1.11. Syslog-ng – the new standard for syslog processing
- 1.12. Security information management
- 2. Installation of syslog-ng Agent for IBM System i
- 3. Configuring syslog-ng Agent security audit journaling
- 3.1. Create the security journal receiver
- 3.2. Create the QAUDJRN journal
- 3.3. Change the system values for auditing
- 3.4. Auditing privileged user profiles
- 3.5. Auditing database files access
- 3.6. Auditing program access
- 3.7. Establish the audit end action system value
- 3.8. Forcing journal entries to auxiliary storage
- 3.9. Start security journal auditing
- 4. Configuring syslog-ng Agent for IBM System i
- 4.1. Displaying the main menu SYMAIN
- 4.2. Configuring syslog-ng Agent for IBM System i
- 4.3. Configuring TCP client communications
- 4.4. Work with security types
- 4.5. Edit syslog-ng configuration
- 4.6. Work with user audit
- 4.7. Work with QSYSOPR severities
- 4.8. Change QAUDJRN Starting Point
- 4.9. Starting the Alliance subsystem
- 4.10. Application maintenance
- 4.11. View application logs
- 5. Send To Syslog (SNDSYSLOG) command
- 6. Send To CEF log (SNDCEFLOG) command
- 7. Procedure ALLSysLog
- 8. Procedure ALLSysLog
- 9. Configuring IBM System i Servers
- 10. Problem determination
- 1. QAUDJRN entry type mappings for CEF
- 2. BalaBit syslog-ng Premium Edition License contract
- 2.1. SUBJECT OF THE License CONTRACT
- 2.2. DEFINITIONS
- 2.3. Words and expressions
- 2.4. LICENSE GRANTS AND RESTRICTIONS
- 2.5. SUBSIDIARIES
- 2.6. INTELLECTUAL PROPERTY RIGHTS
- 2.7. TRADE MARKS
- 2.8. NEGLIGENT INFRINGEMENT
- 2.9. INTELLECTUAL PROPERTY INDEMNIFICATION
- 2.10. LICENSE FEE
- 2.11. WARRANTIES
- 2.12. DISCLAIMER OF WARRANTIES
- 2.13. LIMITATION OF LIABILITY
- 2.14. DURATION AND TERMINATION
- 2.15. AMENDMENTS
- 2.16. WAIVER
- 2.17. SEVERABILITY
- 2.18. NOTICES
- 2.19. MISCELLANEOUS
- 3. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
- Glossary
Welcome to the syslog-ng Agent for IBM System i Administrator Guide!
This document describes how to configure and manage syslog-ng Agent for IBM System i. Background information for the technology and concepts used by the product is also discussed.
Chapter 1, Introduction to syslog-ng Agent for IBM System i describes the main functionality and purpose of syslog-ng PE.
Chapter 2, Installation of syslog-ng Agent for IBM System i describes how to install the syslog-ng Agent in various scenarios and how to upgrade to new versions.
Chapter 3, Configuring syslog-ng Agent security audit journaling provides detailed description on configuring syslog-ng Agent security audit journaling.
Chapter 4, Configuring syslog-ng Agent for IBM System i provides detailed description on configuring and managing syslog-ng Agent for IBM System i.
Chapter 5, Send To Syslog (SNDSYSLOG) command describes the Send To Syslog command.
Chapter 6, Send To CEF log (SNDCEFLOG) command describes the Send To CEF log command.
Chapter 7, Procedure ALLSysLog describes the procedure ALLSysLog.
Chapter 8, Procedure ALLSysLog describes the procedure ALLCefLog.
Chapter 9, Configuring IBM System i Servers describes the procedure of configuring syslog-ng Agent Servers.
Chapter 10, Problem determination describes how to solve common errors and problems.
Appendix 1, QAUDJRN entry type mappings for CEF includes the text of the End-User License Agreement applicable to syslog-ng Agent for IBM System i.
Appendix 2, BalaBit syslog-ng Premium Edition License contract includes the text of the End-User License Agreement applicable to syslog-ng Agent for IBM System i.
Glossary provides definitions of important terms used in this guide.
This guide is intended for system administrators and consultants responsible for designing and maintaining logging solutions and log centers. It is also useful for IT decision makers looking for a tool to implement centralized logging in heterogeneous environments.
The following skills and knowledge are necessary for a successful syslog-ng administrator:
At least basic system administration knowledge.
An understanding of networks, TCP/IP protocols, and general network terminology.
Working knowledge of IBM System i systems.
In-depth knowledge of the logging process of various platforms and applications.
An understanding of the legacy syslog (BSD-syslog) protocol (see RFC 3164, available at http://www.ietf.org/rfc/rfc3164.txt) and the new syslog (IETF-syslog) protocol standard (see RFC 5424-5428, available at http://tools.ietf.org/html/rfc5424).
This guide describes the use of the following syslog-ng versions:
-
syslog-ng Agent for IBM System i
![[Note]](./note.png)
Note The syslog-ng Agent for IBM System i is a commercial product independent from syslog-ng Premium Edition and must be licensed separately.
Patrick Townsend & Associates (http://www.patownsend.com) has partnered with BalaBit IT Security (the developer of syslog-ng) to bring the syslog-ng product to the System i platform. The syslog-ng PE application can be installed and run as a service directly in the Portable Application Solutions Environment (PASE) of the System i platform. Running syslog-ng in PASE allows you to transfer the logs of your server applications that are running in the PASE to a remote syslog-ng server using UDP, TCP, or SSL-encrypted TCP connections. However, syslog-ng alone cannot access the native logs of the IBM System i, for that you need the syslog-ng Agent for IBM System i application.
The syslog-ng Agent for IBM System i application provides extended support for sending security, operator, server, and user log information to a syslog-ng server, or any syslogd or syslog-ng compatible server. The syslog-ng Agent for IBM System i (also called Alliance LogAgent for System i) application can help you bring your IBM System i into your Security Information Management strategy to meet regulatory compliance requirements and to properly monitor for potential security breaches.
Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.
The following kinds of text formatting and icons identify special information in the document.
![[Tip]](./tip.png) |
Tip |
|---|---|
Tips provide best practices and recommendations. |
|
Note |
|---|---|
Notes provide additional information on a topic and emphasize important facts and considerations. |
![[Warning]](./warning.png) |
Warning |
|---|---|
Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed. |
- Command
Commands you have to execute.
- Emphasis
Reference items, additional readings.
-
/path/to/file File names.
-
Parameters Parameter and attribute names.
- Label
GUI output messages or dialog labels.
A submenu in the menu bar.
Buttons in dialog windows.
The syslog-ng Premium Edition and syslog-ng Agent for Windows applications are developed and maintained by BalaBit IT Security Ltd. We are located in Budapest, Hungary. Our address is:
BalaBit IT Security Ltd.
1464 Budapest P.O. BOX 1279
Hungary
Tel: +36 1 371-0540
Fax: +36 1 208-0875
E-mail: info@balabit.com
Web: http://www.balabit.com/
You can directly contact us with sales related topics at the e-mail address
<sales@balabit.com>.
To subscribe to the mailing list of the syslog-ng community, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng/.
To report bugs found in syslog-ng, visit https://bugzilla.balabit.com/.
Product support, including 7x24 online support is available in various packages. For support options, visit the following page: http://www.balabit.com/support/packages/
You can register your copy of syslog-ng Premium Edition online on the BalaBit website at http://www.balabit.com/support/registration/. Registration is a prerequisite for all support services. E-mail and telephone support is available for registered users, please write or call us for details.
Support e-mail address: <support@balabit.com>.
Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)
The BalaBit Online Support System is available at https://boss.balabit.com/ and offers 24 hours technical support. This system is available only for registered users with a valid support contract and a MyBalaBit account. To sign up for MyBalaBit, visit the following page: http://www.balabit.com/mybalabit/.
This guide is a work-in-progress document with new versions appearing periodically.
The latest version of this document can be downloaded from the BalaBit website at http://www.balabit.com/support/documentation/.
For news and update notifications about the syslog-ng documentation, visit the BalaBit Documentation Blog at http://robert.blogs.balabit.com.
Any feedback is greatly appreciated. General comments, errors found in the text, and any
suggestions about how to improve the documentation is welcome at
<documentation@balabit.com>.
syslog-ng Agent for IBM System i provides extended support for sending security, operator, server, and user log information to a Syslogd or Syslog-ng server, or any Syslogd or Syslog-ng compatible server. syslog-ng Agent for IBM System i can help you bring your IBM System i into your Security Information Management strategy to meet regulatory compliance requirements and to properly monitor for potential security breaches.
UNIX and Linux systems have long supported the collection of system and application logs under the general name of “syslogs”. Many system logs in these environments are text files that are created by various applications and services. System logs collect important information about the health of the server, and about the security environment. They are important sources of information about potential or real security threats. The format of system logs can be very informal and include just informational text. However, there is a formal standard for system logs in RFC 3164. When logs are collected by the syslog-ng Agent application they are automatically placed in the RFC 3164 syslog format.
Some Security Information Management (SIM) products use a special log format called the Common Event Format (CEF). syslog-ng Agent for IBM System i supports the CEF format for customers who want to send information directly to a log monitoring systems in CEF format.
The system audit journal QAUDJRN can be configured to capture a large number of security and system management events. The syslog-ng Agent solution can capture the entries in the QAUDJRN journal in real time, format them for the Syslog or CEF format, and send them to a syslogd or Syslog-ng server. The syslog server can be running on the System i or any remote server. The IBM System i Security Reference Manual provides information on how to change system values, user profiles, and objects to capture various system change and security events.
The System i QHST message log collects important job, user, and security information. syslog-ng Agent can be configured to capture QHST entries and convert them to the security audit journal (QAUDJRN) for a permanent record of system activity. When this option is enabled, syslog-ng Agent works as a background subsystem job to collect the logs in order to avoid losing log messages to du automated system clean, user deletions, etc.
The system operator message queue QSYSOPR receives application and system messages. The syslog-ng Agent software can capture the messages in the QSYSOPR message queue, format them to the syslog or CEF standard, and send them to a syslog server on the same System i or to a syslog server on a remote system.
syslog-ng Agent provides an easy way to view user profile authorities and change user auditing. In addition to viewing a user's explicit authorities on the user profile, syslog-ng Agent will inspect any group profile or supplemental group profile to determine any authorities that are inherited from these users. You can then view the authorities and change the audit setting for each user. syslog-ng Agent recommends an audit level for each user and you can change the audit setting.
syslog-ng Agent provides command and API interfaces to allow a user program to create Syslog or CEF event records. User applications can provide simple text values for messages and specify the priority and facility ID for the message. Any user application can be enabled for syslog or CEF application messages.
syslog-ng Agent gives you the ability to filter the system audit journal (QAUDJRN) entries that you want to send to a central log server. This can reduce the amount of network traffic and the type of events you transmit to the server. syslog-ng Agent provides a complete list of log system security audit journal event types and the security administrator can edit the events to suppress transmission to the central log server.
Many System i customers use open source solutions such as the Apache web server, OpenSSH, Perl, or MySQL on the System i. These open source applications support normal logging functions. When enabled these applications send logs to the IFS directory /var/log. You can automatically send these logs to a Syslogd or Syslog-ng server using the Balabit Syslog-ng Open Source Edition or Premium Edition product. See the separate documentation on the Syslog-ng product.
Patrick Townsend & Associates has partnered with Balabit IT Security to bring the Syslog-ng product to the System i platform. This application can be installed and run as a service directly on the System i platform. The application runs in the Portable Application Solutions Environment (PASE). When installed on the System i the Syslog-ng server can be configured to send any logs in the IFS file system.
Syslog-ng is the next generation of server processing for system log management. Syslog-ng is available in an open source version and in a premium edition that provides additional security and management functions (see web site http://www.balabit.com/). Syslog-ng is shipped with most Linux distributions and is available for a wide variety of platforms. Syslog-ng can act in one of three roles:
As a client to collect and forward log information
As a relay to receive and forward log information
As a consolidation server to receive logs and save to a database
By consolidating logs on a central server Syslog-ng enables intelligent evaluation of system information in one location. See the separate documentation on the Syslog-ng software solutions.
Security information management systems attempt to monitor the health and security of all of the significant server systems in an Enterprise. Typically this means consolidating syslog and other information from servers in one repository, and then performing real-time analysis, reporting, and alerts of potential problems. A number of vendors provide software and appliance solutions for log analysis. These solutions include ArcSight ESM, Symantec SIM, LogLogic, CrossTec, and many others. syslog-ng Agent for IBM System i provides the solution needed to bring the System i platform into a common information management strategy.
The syslog-ng Agent for IBM System i product runs on any version of IBM OS/400 or i5/OS from V5R1 and later.
When you download the syslog-ng Agent product from the web site, you must unzip the product. You software provider will supply a pass phrase for extracting the files. See the Readme.txt file in the download for instructions on how to copy the software to the System i using FTP. Once you transfer the Save file to the System i you will restore the library ALLSYL100.
To upgrade the syslog-ng Agent product you must first end the ALLSYL100 subsystem and rename the library:
Endsbs sbs(allsyl100) option(*immed) Rnmobj obj(allsyl100) objtype(*lib) newobj(allsylold)
After renaming the library you can install the new version using the Internet download.
After installing the new version use the Apply Release Upgrade option on the Installation menu to copy your configuration information from the old library to the new version.
You can revert to a previous version of the product by renaming the new library to a save name, and then renaming the old version to the library ALLSYL100. This will restore the previous version.
Before you can configure and use the syslog-ng Agent agent and server you must enter a temporary or permanent license code. Please contact your software supplier to receive the license code. The Open Source Edition of the syslog server does not require a license code to operate.
If you will be sending system audit journal information to Syslog-ng you may wish to delete older journal receivers before starting the process. syslog-ng Agent collects journal entries from the beginning of the current chain of journal receivers. The date of all log entries is the date of the actual journal entry, but there may be a lot of historical information that you do not want to process. You should consider making a permanent backup of system audit journals before deleting them. Use the Work With Journal Attributes (WRKJRNA) command to view the journal receivers for the QAUDJRN journal.
You must create the System i security audit journal QAUDJRN, related journal receivers, and turn on security auditing before attempting to send security information to a log collection server or SIM solution. The full documentation is provided in the IBM publication “iSeries Security Reference”. Please refer to this document at the IBM Information Center. The following section provides a summary of the steps needed to activate security auditing.
Create the first journal receiver in a user library that is backed up on a regular basis. You can use an existing library, or you can create a library to contain the journals. The library can have public authority, but the journal receivers should exclude public authority. Use a name with a 4 or 5 digit number at the end of the name, and start with sequence number 1. The operating system will automatically increment the sequence number by 1 when creating a new journal receiver.
CRTJRNRCV
JRNRCV(MYLIB/AUDRCV0001)
THRESHOLD(100000)
AUT(*EXCLUDE)
TEXT(’Auditing Journal Receiver’)
Create the QAUDJRN journal in the QSYS library. You must have authority to the QSYS library and *AUDIT special authority. Use the following parameters for this journal:
CRTJRN
JRN(QSYS/QAUDJRN)
JRNRCV(JRNLIB/AUDRCV0001)
MNGRCV(*SYSTEM)
DLTRCV(*NO)
AUT(*EXCLUDE)
TEXT(’Auditing Journal’)
You specify which types of events are collected in the QAUDJRN journal by specifying the system values for QAUDLVL and QAUDLVL2. You can view a list of all of the auditing values by prompting the values when using the WRKSYSVAL command.
|
Note |
|---|---|
In V5R4 of the operating system IBM introduced some group values to make specifying audit types easier. See the notes below. |
To collect basic security information you can use the *SECURITY group value like this:
CHGSYSVAL
SYSVAL(QAUDLVL)
VALUE(‘*SECURITY’)
An alternative to using the *SECURITY group is to use the Change Security Audit (CHGSECAUD) command to set the basic security values and start auditing. Be careful, this command will create the journal and journal receiver, change the audit levels, and start audit collection. It is recommended that you specify the actual values with the Change System Value command rather than the Change Security Audit command.
If you want to collect more extensive security information you can add the values PGMFAIL, AUTFAIL, PGMADP, SAVRST, OFCSVR, and SERVICE:
CHGSYSVAL
SYSVAL(QAUDLVL)
VALUE(‘*SECURITY’ ‘*PGMFAIL’ ‘*AUTFAIL’ ‘*PGMADP’ ‘*SAVRST’
‘*OFCSRFV’ ‘*SERVICE’)
Certain data security regulations require that you monitor for system changes. To collect events for system changes you can add the values CREATE, DELETE, OBJAUD, OBJMGT, OPTICAL, and SAVRST:
CHGSYSVAL
SYSVAL(QAUDLVL)
VALUE(‘*SECURITY’ ‘*AUTFAIL’ ‘*NETCMN’ ‘*SAVRST’ ‘*OFCSRFV’
‘*SERVICE’ ‘*CREATE’ ‘*DELETE’ ‘*OBJAUD’ ‘*OBJMGT’
‘*OPTICAL’ ‘*SAVRST’)
There is a limit to the number of values you can specify in the QAUDLVL system value. Use the *AUDLVL2 special value to indicate that additional values are to be found in the QAUDLVL system value.
You should consider auditing the activities of any user with security administrator, all object, or service authority. You can use the syslog-ng Agent configuration option to review user auditing and make changes. Or, you can turn on user auditing with the Change User Audit (CHGUSRAUD) command. Use this command to enable the highest level of monitoring for any IBM provided profile and any profile that you create with special authorities such as *SECADM, *SERVICE, or *ALLOBJ:
CHGUSRAUD
USRPRF(QSECOFR)
AUDLVL(*ALL)
Repeat this process for all privileged users.
To audit access to any file containing sensitive data such as credit card numbers, social security numbers, etc., use the Change Object Audit command (CHGOBJAUD). You may also want to audit access to files that contain configuration information. For IFS files use the Change Audit (CHGAUD) command. For QDLS files use the Change DLO Audit (CHGDLOAUD) command.
CHGOBJAUD
OBJ(MYLIB/MYFILE)
OBJAUD(*ALL)
CHGAUD
OBJ(‘/mydirectory/*’)
OBJAUD(*ALL)
CHGDLOAUD
FOLDER(MYFOLDER)
OBJAUD(*all)
|
Note |
|---|---|
You must specify the value |
You may have programs that adopt special authority or which perform sensitive functions. A program that adopts the QSECOFR profile authority, or which maintains salary data are examples of this type of program. You can make a list of programs that adopt authority by using the Display Program Adopt (DSPPGMADP) command. Use the CHGOBJAUD command to start auditing:
CHGOBJAUJD
OBJ(MYLIB/MYPROGRAM)
OBJAUD(*ALL)
|
Note |
|---|---|
You must specify the value |
Use the Work With System Values command to establish the action to take if the system cannot write to the security audit journal. It is unlikely that this will occur, but you should set a value for this event.
CHGSYSVAL
SYSVAL(QAUDENDACN)
VALUE(‘*NOTIFY’)
Use the WRKSYSVAL command to establish how often journal records are written to disk. The smaller the value the less the likely is the loss of journal entries, but the more impact journaling has on system performance. For most users the value of *SYS will provide a balance between performance and log collection reliability. For maximum security set the value to 1.
CHGSYSVAL
SYSVAL(QAUDFRCLVL)
VALUE(*SYS)
CHGSYSVAL
SYSVAL(QAUDFRCLVL)
VALUE(1)
The system value QAUDCTL controls the actual collection of system events to the QAUDJRN security journal. You must change this system value to indicate that event collection should start. Use the CHGSSVAL command to enable security auditing:
CHGSYSVAL
SYSVAL(QAUDCTL)
VALUE(‘*AUDLVL’)
Configuring the syslog-ng Agent applications involves configuring the global options for collecting and sending syslog messages, and configuring the communications client application to talk to the syslog server. Use the following options to configure global options and the communications client.
After installing the Alliance LogAgent for System i product and entering a license code, you can configure the agent applications. You can display the main menu by adding the ALLSYL100 library to your library list and displaying the main menu :
Addlible allsyl100 Go symain
The following menu is displayed:
Select an option to begin work.
Select the option for , then select the option to . The following panel is displayed:
-
Enter 1 for Yes to enable diagnostic logging. When diagnostic logging is enabled the job descriptions are set for maximum job logs. Enter 2 for No to disable application logging.
-
Enter 1 for Yes to enable sending QAUDJRN messages to a syslog server. When enabled the system security audit journal reader job will be started in the Alliance subsystem ALLSYL100. Enter 2 for No to not send audit journal entries to the syslog server.
-
Enter 1 for the older first version of Alliance LogAgent interface. Enter 2 to use the Common Event Format (CEF) for the interface. Enter 3 for the advanced version of the interface which provides messages in RFC3164 format. Option 3 is recommended.
-
Enter 1 for Yes to transmit the log events to a log collection server or SIM product. Enter 2 for No to not transmit logs.
-
Enter 1 for Yes to use data queue control. Enter 2 for No to not use data queue control. Option 1 for data queue control is recommended if you are transmitting log entries to a log collection server.
-
Enter 1 for Yes to enable sending QSYSOPR messages to a syslog server. Enter 2 for No to not send QSYSOPR messages to the syslog server.
-
If you select the option to send QSYSOPR messages to a syslog server enter the name of the message queue. The default is QSYSOPR.
-
Enter 1 to enable collection of QHST messages to the system security audit journal QAUDJRN, Enter 2 to not collect QHST messages to the security audit journal. You must restart the ALLSYL100 subsystem to start collecting messages. When enabled the job QHST will start as a subsystem job.
-
QHST messages are written to the QAUDJRN security journal. Enter the user defined entry type in this field. This is a numeric value from 00 to 99.
-
Enter option 1 to create log messages in the Syslog format (RFC 3164). Enter option 2 to create log messages in Common Event Format (CEF). Enter option 3 for Advanced RFC 3164 format. Option 3 is the recommended option.
-
Enter 1 for Yes to automatically start the syslog-ng Premium Edition application in the Alliance subsystem environment. Enter 2 for No to not start the syslog-ng application.
Note You just first install the syslog-ng application from the Alliance Configuration menu, and you must configure it to collect logs.
-
Enter 1 for Yes to capture log events to a physical file. Enter 2 for No to not capture to a physical file. Option 2 is the default value.
-
If you selected the option to log to a physical file, enter the file name, library name, and member name in this field.
In order to send syslog entries to a syslog server you must configure the Alliance TCP client communications. From the menu take the option to . The following panel is displayed.
Three sample configurations are displayed. The first sample uses standard TCP sockets to send syslog records to a Syslog-ng server. The second sample sends log records to a Syslogd server using standard UDP communications. The third sample uses SSL/TLS TCP sockets to send syslog records to a Syslog-ng server using secure SSL communications.
Use option 2 to change a configuration. Use option 3 to copy the configuration to a new definition. Use option 4 to delete a configuration. Use option 6 to print the configuration details.
When you select option 2 to change the TCP client configuration the following panel is displayed:
-
The name of this configuration.
-
Enter a description for this configuration.
-
Enter 1 for Active or 2 for Inactive. When the status is inactive the TCP client application will not be enabled.
-
Enter 1 for Yes to automatically start the TCP client communications when the ALLSYL100 subsystem starts. Enter 2 for No to not automatically start the TCP client. Normally you will want to automatically start the TCP client application when the subsystem starts.
-
Enter the DNS name for the syslog server. You can use the next field for the IP address if you do not have a DNS name for the server
-
Enter the IP address of the syslog server if you do not have a DNS name.
-
Enter the port number for the syslog server. Consult with your network administrator for the port number. This will be the port number for the source syslog TCP service.
-
Enter 1 for Yes to enable application logging. Enter 2 for No to not enable application logging. When this option is enabled detailed log records are written to the file ALLOGA. These log entries are not sent to the syslog server.
-
If this client application will use secure SSL/TLS communications enter an Application ID. You can use the IBM Digital Certificate Manage to create certificates and associated Application Ids.
-
Enter 1 for Yes to enable certificate passthrough. Enter 2 for No to not allow certificate passthrough. Enabling certificate passthrough will disable certificate validity checking, but will not allow un-secure connections.
Use this option to define user-created QAUDJRN journal entries. When a user application sends an entry to the security journal QAUDJRN a user-defined journal entry type is used. This is a two-character value and is different than the journal entry types that are created by i5/OS. In order to report these events you need to define them with this option and provide text and severity values. You must be QSECOFR to access this option.
-
Enter a description for this journal entry type
-
The type indicates whether the event is a system provided event or a user defined event. This is an output field only.
-
Enter the text to be used with the log message. This text should be a brief description of the event type.
-
Enter a value for the severity of this event type. The lower the value higher the severity level of the message.
-
Enter a facility ID for this event type. See the documentation in RFC 3164 for information on facility Ids. Since the priority of an event is the result of adding the severity by the facility, the lower the facility number the higher the severity of the message.
-
If you are reporting log events in the Common Event Format enter the CEF severity level. The higher the severity number the more severe the event.
-
Enter a signature number for this event type. Alliance uses signature values from 1000 to 1999 so you should avoid signature values in this range.
-
Enter 1 for Yes to send this type of event to a log server. Enter 2 for No to suppress sending this event type to the log server. The default is Yes.
Use this option to start the Edit File (EDTF) command to edit the syslog-ng.conf configuration file in the IFS directory. You can add new sources, destinations, filters and other configuration definitions to the file. Please consult the syslog-ng Administration guide for information on how to configure syslog-ng options.
Use this option to view user profile security and audit settings, and to make changes to use audit options. This option will build a list of user profiles, resolve the group profile and supplemental group profile authorities, and recommend changes to user auditing settings. All users with a high level of security and object privileges should have user auditing enabled. syslog-ng Agent will recommend that users with security administration and all object authorities have the maximum level of user auditing enabled. Users with programmer or system operator privileges will be recommended for a medium amount of user auditing.
-
Use this field to view, print, or change the audit level for a user profile.
-
The user profile name.
-
The description of the user from the user profile. Only the first 40 bytes of the description are displayed.
-
The authority level assigned by syslog-ng Agent for this user. Any user with security officer, security administrator, system configuration, service, or all object authority will be classified as having a high level of authority. Programmers, system operators, and any user with job control authority will be classified as having a medium level of authority. All other uses will be classified as having a low level of authority.
-
The value
Groupindicates that some of this user's authority is received from a Group Profile on their user profile. The valueSuppindicates that some of this user's authority was inherited from a profile in the supplemental group for this user. The value ofBothindicates that some of this user's authority was inherited from both the group profile and profiles in the supplemental group. -
syslog-ng Agent will suggest changes to user auditing if auditing is not already enabled. The value
*ALLwill be assigned to users with a high level of authority. The value of*CHANGEwill be assigned to users with a medium level of authority. You can use options 13, 14, and 15 to change a user's authority to the value you think appropriate.
When you use option 5 to view a user the following panel is displayed.
-
This is the description from the user profile.
-
These values indicate the class of the user profile.
Note The values may be inherited from a group profile or a profile in the supplemental group for this user.
-
These values indicate the special authorities of the user.
Note The values may be inherited from a group profile or a profile in the supplemental group for this user.
This is the second panel when displaying user information.
-
This value is 1 if some of this user‟s authority is adopted from the group profile.
-
This value is 1 if some of this user‟s authority is adopted from a supplemental group profile.
-
This value indicates the class of this user. This value is not affected by the group profile or profiles in a supplemental group.
-
The group profile for this user.
-
The user profiles in the supplemental group for this user.
-
A list of special authorities for this user.
-
The current setting for user auditing for this user.
Use this option to associate the message severities in the QSYSOPR message queue with syslog severity values. Alliance provides a default set of mappings between the severity of a message in QSYSOPR to the severity of the event reported to the syslog server. You can use this option to change these default mappings.
-
Enter 2 to change, 4 to delete, or 6 to print the severity mapping. It is recommended that you do not delete entries in this table.
Use this panel to add or change a mapping between QSYSOPR message severity to syslog facility and severity.
-
Enter a description for this mapping.
-
Enter a syslog facility value for this mapping. Refer to the open standard document RFC3164 for a definition of facility values.
-
Enter a value for the severity of this message. Refer to the open standard document RFC3164 for a definition of value severities.
Use this option to define the starting point for the QAUDJRN extraction and reporting process. After installation syslog-ng Agent will start with the first entry in the first QAUDJRN journal receiver. You may wish to skip some of the older events. You can do this by specifying a starting journal sequence number and journal receiver.
To determine the name of the QAUDJRN journal receiver, use the Work With Journal Attributes (WRKJRNA) command for the journal QAUDJRN. This command will show you the name of the currently attached journal receiver.
-
Enter the starting sequence number. This is a 20 digit sequence number. You set this value to 1 to start at the beginning of a journal receiver. syslog-ng Agent will detect that the starting sequence number of a specific journal is larger and will start at the actual first entry in the journal receiver. You can use the Display Journal Receiver Attribute (DSPJRNRCVA) command to view the first sequence number in the journal.
-
Enter the starting journal receiver and library. If you leave this field blank syslog-ng Agent will use the first available journal receiver. If you specify a journal receiver name, syslog-ng Agent will start with this journal receiver.
-
You can enter a starting date for the journal entries. This field is optional. Enter the date in mm/dd/yyyy format. For example: 2/5/2010.
-
You can enter a starting time for the journal entries. This field is optional, but you must enter a date if you wish to specify a starting time. Enter the time in hh:mm:ss format. For example: 12:00:00.
After configuring the global options and a TCP communications client, you must start the Alliance subsystem ALLSYL100 to start collecting logs. On the configuration menu take the option to Start Syslog Subsystem. The following panel is displayed:
Press Enter to start the subsystem. Depending on the configuration options you have selected, the following jobs will appear in the subsystem:
-
Extracts messages from QSYSOPR and sends to the internal Syslog.
-
Extracts audit journal entries and sends to the internal Syslog queue.
-
Receives Syslog messages from the Syslog queue and uses TCP or SSL/TLS TCP to send to a local or remote instance of Syslog-ng server.
You can use options on the menu to view active jobs in the Alliance ALLSYL100 subsystem, and to end the subsystem. You can also end the subsystem ALLSYL100 manually using the End Subsystem (ENDSBS) command with the *IMMED option.
|
Note |
|---|---|
The first time you start the Alliance subsystem the audit journal and operator message queue processes will begin collecting information starting from the earliest message. If there is a substantial amount of history in the journal or message queue it may take time for these messages to be sent to the Syslog-ng server. |
Once you have the configuration the way you want you can automate the start of the ALLSYL100 subsystem by modifying the IPL start up program. The name of the IPL start up program is stored in system value QSTRUPPGM. The program is usually QSTRUP in library QGPL. You can modify this program to add the following statements to start the ALLSYL100 subsystem:
QSYS/STRSBS SBSD(ALLSYL100/ALLSYL100) MONMSG MSGID(CPF0000)
You should place these statements after any commands that start the TCP/IP network services.
If you do not have the source for the QSTRUP program you can retrieve the source using the Retrieve CL Source (RTVCLSRC) command.
The application maintenance option can be used to purge information from the internal diagnostic logs, historical information, and to re-organize any physical files used by the Alliance application. From the main menu take the option for Application Maintenance, then option 1 to run maintenance. The following panel is displayed:
-
Enter the date in YYYYMMDD format to indicate the retention date. Log and historical information more recent than this date will be retained. All physical files will be re-organized. Note that you should run this option when the Alliance subsystem ALLSYL100 is not active.
-
You can manually clear Alliance diagnostic log information with the following command:
clrpfm file(allsyl100/alloga)
This command only clears the internal Alliance logs and does not delete any Syslog information.
The View Application Logs option can be used to view internal Alliance application logs such as the TCP or SSL/TSL TCP application log. From the main menu take the option for Inquiry, then option 1 to view the log. The following panel is displayed:
Use option 5 to view the log or option 6 to print the log. For large logs it is recommended that you use option 6 to print the log and then use the Work With Spooled Files (WRKSPLF) command to view the report.
|
Note |
|---|---|
The application logs only contain internal Alliance diagnostic information and do not contain Syslog information that has been collected. |
You can use the Send To Syslog (SNDSYSLOG) command to generate your own entries to Syslog-ng. The command can be run from a command line, but you will probably want to use it in your application programs. The command can be added to any CL program to enable your applications to write to the Syslog-ng server. Note that the library ALLSYL100 must be in your library list in order to use the SNDSYSLOG command.
| SNDSYSLOG | PRIORITY( priority-number ) |
| FACILITY( facility-number ) | |
| DATE( date ) | |
| TIME( time ) | |
| HOST( host-name | blank ) | |
| TAG ( tag-name ) | |
| MSG( application-message ) | |
| JOB( job-name ) | |
| USER( user-name ) | |
| JOBNO( job-number ) |
Table 5.1. Command parameters
-
This is the Syslog priority number in the range of 0 to 7. See the documentation in RFC 3164 for information on the meanings of the priority number.
-
This is the Syslog facility number in the range of 0 to 23. See the documentation in RFC 3164 for information on the meanings of the facility number.
-
Provide the date in the format CCYYMMDD where CC is the Century, YY is the year, MM is the month, and DD is the day. This is a character field.
-
Provide the time in the format HHMMSS using 24-hour time notation.
-
Provide the host name or the IP address of the host. If you leave this field blank Alliance will use system name from the Network Attributes. Use the Display Network Attributes (DSPNETA) command to view the system name.
-
Enter the application name or tag name you want to use for this Syslog entry.
-
Enter a message to be included in the Syslog entry. The message can be up to 1024 bytes in length. Note that the maximum length of a Syslog entry, including the priority, date, host, tag, and message fields is 1024 bytes. If the resulting message is longer than 1024 bytes it will be truncated to this length and no error message will be sent.
-
Enter the job name for this Syslog entry. This is an optional field.
-
Enter the user name for this Syslog entry. This is an optional field.
-
Enter the job number for this Syslog entry. This is an optional field.
You can use the Send To CEF (SNDCEFLOG) command to generate your own entries to ArcSight ESM or compatible server. The command can be run from a command line, but you will probably want to use it in your application programs. The command can be added to any CL program to enable your applications to write to the ArcSight ESM server. Note that the library ALLSYL100 must be in your library list in order to use the SNDCEFLOG command.
| SNDCEFLOG | HOST( Host-name or IP address ) |
| DATE( date ) | |
| TIME( time ) | |
| VENDOR( vendor-name ) | |
| PRODUCT( product-name ) | |
| VERSION( product-version ) | |
| SIGNATURE( signature-number ) | |
| MSG( application-message ) | |
| SEVERITY ( event-severity ) | |
| EXTENSION( extended-message ) | |
| JOB( job-name ) | |
| USER( user-name ) | |
| JOBNO( job-number ) |
Table 6.1. Command parameters
-
Provide the host name or the IP address of the host. If you leave this field blank Alliance will use system name from the Network Attributes. Use the Display Network Attributes (DSPNETA) command to view the system name.
-
Provide the date in the format CCYYMMDD where CC is the Century, YY is the year, MM is the month, and DD is the day. This is a character field.
-
Provide the time in the format HHMMSS using 24-hour time notation.
-
Enter the vendor name for this event. The vendor name should be your company name for any user applications, or the name of your software provider if the message is for a vendor software solution.
-
Enter the name of the software product for this event.
-
Enter the version number for the software product.
-
Enter a unique signature value for this event. This value should be unique for this type of event. You should signature values in the range of 1000 to 1999.
-
Enter a message to be included in the log entry. The message can be up to 512 bytes in length. Please note that the maximum length of a log entry, including all fields is 1024 bytes. If the resulting message is longer than 1024 bytes it will be truncated to this length and no error message will be sent.
-
Enter a severity value from 0 to 10 with 0 being the lowest severity and 10 being the highest severity.
-
Enter additional text for this message.
-
Enter the job name for this Syslog entry. This is an optional field.
-
Enter the user name for this Syslog entry. This is an optional field.
-
Enter the job number for this Syslog entry. This is an optional field.
You can use the Alliance procedure ALLSysLog in any ILE application to create entries for Syslog-ng. The service program ALLSYSLOG in library ALLSYL100 can be bound to your application to provide an interface to this procedure.
ALLSysLog(ULONG* pulPriority,
ULONG* pulFacility,
UCHAR* pcaTimestamp,
UCHAR* pcaHost,
UCHAR* pcaTag,
UCHAR* pcaContent,
ULONG* pulConvertOpt,
UCHAR* pcaConvertTable,
UCHAR* pcaMessage,
ULONG* pulMessageLen,
ULONG* pulReturn);
d Prioritys s 8b 0 inz(0)
d Facilitys s 8b 0 inz(0)
d Timestamp s 32a
d Host s 64a
d Tag s 64a
d Content s 2048a
d ConvertOpt s 8b 0 inz(0)
d ConvertTbl s 32a inz('ANEB2AS *LIBL')
d Message s 2048a
d MessageLen s 8b 0 inz(0)
d ReplyCode s 8b 0 inz(0)
Callb(d) 'ALLFmtLog' Parm Priority Parm Facility Parm Timestamp Parm Host Parm Tag Parm Content Parm ConvertOpt Parm ConvertTbl Parm Message Parm MessageLen Parm ReplyCode
See the documentation for the SNDSYSLOG command for information on the values of the parameters for this procedure.
You can use the Alliance procedure ALLCefLog in any ILE application to create log entries for ArcSight ESM. The service program ALLCEF in library ALLSYL100 can be bound to your application to provide an interface to this procedure.
ALLCefLog(ULONG* pcaHost,
UCHAR* pcaTimestamp,
UCHAR* pcaDeviceVendor,
UCHAR* pcaDeviceProduct,
UCHAR* pcaDeviceVersion,
UCHAR* pcaSignature,
UCHAR* pcaContent,
ULONG* pulSeverity,
UCHAR* pcaExtension,
ULONG* pulConvertOpt,
UCHAR* pcaConvertTable,
UCHAR* pcaMessage,
ULONG* pulMessageLen,
ULONG* pulReturn)
d Host s 65a
d Timestamp s 32a
d Vendor s 33a
d Product s 33a
d Version s 33a
d Signature s 33a
d Content s 2048a
d Severity s 8b 0 inz(0)
d Extension s 1024a
d ConvertOpt s 8b 0 inz(0)
d ConvertTbl s 32a inz('ANEB2AS *LIBL')
d Message s 2048a
d MessageLen s 8b 0 inz(0)
d ReplyCode s 8b 0 inz(0)
Callb(d) 'ALLFmtCef' Parm Host Parm Timestamp Parm Vendor Parm Product Parm Version Parm Signature Parm Content Parm Severity Parm Extension Parm ConvertOpt Parm ConvertTbl Parm Message Page 40 Parm MessageLen Parm ReplyCode
See the documentation for the SNDSYSLOG command for information on the values of the parameters for this procedure.
To enable logging in the Apache server, use the Work With Links (WRKLNK) command to edit the httpd_conf file in the /www/(server-name)/conf directory. You will need to add a “LogCycle” directive in order to force the Apache server to create one file. Without this directive the log files will have an appended time stamp and the syslog-ng application will not be able to process them. After updating the configuration file stop and re-start the Apache web server instance with the Start TCP Server (STRTCPSVR) command.
LogCycle Off CustomLog logs/access_log combined
You must now configure a source to read the file in syslog-ng. Apache logs will generally be placed in the /www/(server-name)/logs directory. Consult the syslog-ng documentation for instructions on how to configure syslog-ng to read the log file.
To enable logging in the OpenSSH server, use the Work With Links (WRKLNK) command to edit the sshd_conf file in the /QopenSys/QIBM/ /ProdData/SC1/OpenSSH/openssh-3.5p1/etc directory like this:
SyslogFacility AUTH LogLevel INFO
Consult the documentation on the OpenSSH web site (http://www.openssh.org) for other syslog options.
After changing the sshd_config file you must create an empty log file. Sign on as QSECOFR, use the STRQSH shell, and use the following commands:
mkdir /var/adm touch /var/adm/sshlog
You must now configure a source to read the file in syslog-ng. Consult the syslog-ng documentation for instructions on how to configure syslog-ng to read the log file.
A number of other open systems and proprietary applications can be deployed on the syslog-ng Agent including MySQL, PHP, Perl, and others. Most of these types of applications can be enabled to collect system logs. Please consult the documentation for these servers on the steps to take to start collecting logs. Once logging is active you can configure a “source” statement in Syslog-ng to capture the logs.
In the event you have difficulties with an syslog-ng Agent application, the following procedures may be helpful.
When syslog-ng Agent encounters a problem processing a Syslog transaction it may send a message to the system operator message queue. Use the DSPMSG command to view these messages. Many of the messages have second level text. You can use F1 or the HELP key to view this text.
The Alliance TCP client applications will create extra diagnostic information when the option for application logging is enabled. You should restart the subsystem when changing the logging option. When application logging is enabled there will be additional information written to the job log and to output spooled files in the job.
The following table describes the default system security audit journal (QAUDJRN) mappings for the severity of messages assigned to Common Event Format (CEF) messages. You can use the Work With Security Types option on the configuration menu to change these values.
| Sev | Description |
|---|---|
| 7 | Auditing change |
| 9 | Authority failure |
| 6 | Obtaining adopted authority |
| 4 | Attribute changes |
| 7 | Authority changes |
| 3 | Command string audit |
| 4 | Create object |
| 10 | User profile changed, created, or restored |
| 3 | Change of *CRQD object |
| 3 | Cluster operations |
| 3 | Connection verification |
| 10 | Cryptographic configuration |
| 2 | Directory server |
| 5 | Delete object |
| 10 | DST security password set |
| 7 | System environment variables |
| 3 | Generic record |
| 2 | Socket description given to another job |
| 2 | Interprocess communication |
| 7 | IP rules action |
| 3 | Internet security management |
| 9 | Change to user paramater of job description |
| 3 | Actions that affect jobs |
| 9 | Key ring file |
| 3 | Link, unlink, or look up directory entry |
| 3 | Office services mail action |
| 8 | Network attribute changed |
| 8 | APPN directory search filter violation |
| 8 | APPN end point filter violation |
| 3 | Object move or rename |
| 7 | Object restore |
| 7 | Object ownership changed |
| 5 | (Optical access) Single file or directory |
| 5 | (Optical access) Dual file or directory |
| 5 | (Optical access) Volume |
| 8 | Program changed to adopt authority |
| 7 | Change of an objects primary group |
| 2 | Printed output |
| 7 | Profile swap |
| 10 | Invalid user or password |
| 7 | Authority change during restore |
| 8 | Restoring job description with user profile specified |
| 8 | Change of object owner during restore |
| 8 | Restoring adopted authority program |
| 8 | Restoring a *CRQD object |
| 8 | Restoring user profile authority |
| 8 | Changing a primary group during restore |
| 7 | Changes to system distribution directory |
| 7 | Subsystem routing entry changed |
| 3 | Actions to spool files |
| 3 | Asynchronous signals |
| 2 | Secure sockets connections |
| 5 | Systems management changes |
| 7 | Server security user information actions |
| 10 | Use of service tools |
| 9 | System value changed |
| 8 | Changing an access control list |
| 3 | Starting or ending a connection |
| 3 | Closing server files |
| 5 | Account limit exceeded |
| 2 | Logging on and off the network |
| 5 | Validation list actions |
| 10 | Network password error |
| 8 | Network resource access |
| 2 | Starting or ending a server session |
| 7 | Changing a network profile |
| 9 | Changing service status |
| 5 | Network authentication |
| 1 | DLO object accessed (change) |
| 1 | DLO object accessed (read) |
| 1 | Object accessed (change) |
| 1 | SOM access method |
| 1 | Object accessed (read) |
Table 1.1.
This License Contract is entered into by and between BalaBit and Licensee and sets out the terms and conditions under which Licensee and/or Licensee’s Authorized Subsidiaries may use the BalaBit syslog-ng Premium Edition product.
In this License Contract, the following words shall have the following meanings:
Company name: BalaBit IT Security Ltd.
Registered office: H-1115 Budapest, Bártfai u. 54. Hungary
Company registration number: 01-09-687127
Tax number: HU11996468
|
Annexed Software |
Any third party software that is a not a BalaBit Product contained in the install media of the BalaBit Product. |
|
Authorized Subsidiary |
Any subsidiary organization: (i) in which Licensee possesses more than fifty percent (50%) of the voting power and (ii) which is located within the Territory. |
|
BalaBit Product |
Any software, hardware or service Licensed, sold, or provided by BalaBit including any installation, education, support and warranty services, with the exception of the Annexed Software. |
|
License Contract |
The present BalaBit syslog-ng Premium Edition License Contract. |
|
Product Documentation |
Any documentation referring to the BalaBit syslog-ng Premium Edition or any module thereof, with special regard to the administration guide, the product description, the installation guide, user guides and manuals. |
|
Number of Log Source Hosts |
|
|
Protected Objects |
The entire BalaBit |
|
BalaBit |
The BalaBit Product designed for aggregate, filter, format, send or receive over network or local connection the log messages and eventlogs as defined by the Product Description. |
|
Warranty Period |
The period of twelve (12) months from the date of delivery of the
BalaBit |
|
Territory |
The countries or areas specified above in respect of which
Licensee shall be entitled to install and/or use BalaBit
|
|
End-user Certificate |
The document signed by Licensor which contains a) identification
data of Licensee; b) configuration of BalaBit |
For the BalaBit syslog-ng Premium Editionlicensed under this
License Contract, BalaBit grants to Licensee a non-exclusive, non-transferable,
perpetual license to use such BalaBit Product under the terms and conditions of this
License Contract and the applicable End-user Certificate.
Licensee shall use the BalaBit syslog-ng Premium Editionin the in
the configuration and in the quantities specified in the End-user Certificate within the
Territory.
On the install media (CD-ROM) all modules of the BalaBit syslog-ng Premium
Editionwill be presented, however, Licensee shall not be entitled to use
any module which was not Licensed to it. Access rights to modules and maximum Number of
Log Source Hosts are controlled by an “electronic key” accompanying the BalaBit
syslog-ng Premium Edition.
Licensee shall be entitled to make one back-up copy of the install media containing
the BalaBit syslog-ng Premium Edition.
Licensee shall make available the Protected Objects at its disposal solely to its own employees and those of the Authorized Subsidiaries.
Licensee shall take all reasonable steps to protect BalaBit’s rights with respect to the Protected Objects with special regard and care to protecting it from any unauthorized access.
Licensee shall, in 5 working days, properly answer the queries of BalaBit referring to
the actual usage conditions of the BalaBit syslog-ng Premium
Editionthat may differ or allegedly differs from the License conditions.
Licensee shall not modify the BalaBit syslog-ng Premium Editionin
any way, with special regard to the functions inspecting the usage of the software.
Licensee shall install the code permitting the usage of the BalaBit syslog-ng
Premium Editionaccording to the provisions defined for it by BalaBit.
Licensee may not modify or cancel such codes. Configuration settings of the BalaBit
syslog-ng Premium Editionin accordance with the possibilities
offered by the system shall not be construed as modification of the software.
Licensee shall only be entitled to analyze the structure of the BalaBit Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaBit does not provide such information within 60 days from the receipt of such a request.
These user actions are limited to parts of the BalaBit Product which are necessary for concurrent operation.Any information obtained as a result of applying the previous Section (i) cannot be used for purposes other than concurrent operation with the BalaBit Product; (ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaBit Product; (iii) cannot be used for the development, production or distribution of a different software which is similar to the BalaBit Product in its form of expression, or for any other act violating copyright.
For any Annexed Software contained by the same install media as the BalaBit Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaBit does not grant any License rights to any Annexed Software.
Any usage of the BalaBit syslog-ng Premium Editionexceeding the
limits and restrictions defined in this License Contract shall qualify as material
breach of the License Contract.
The Number of Log Source Hosts shall not exceed the amount defined in the End-user Certificate.
Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.
Authorized Subsidiaries may also utilize the services of the BalaBit
syslog-ng Premium Editionunder the terms and conditions of this
License Contract. Any Authorized Subsidiary utilizing any service of the BalaBit
syslog-ng Premium Editionwill be deemed to have accepted the
terms and conditions of this License Contract.
Licensee agrees that BalaBit owns all rights, titles, and interests related to the
BalaBit syslog-ng Premium Editionand all of BalaBit's patents,
trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to
the design, manufacture, operation or service of the BalaBit Products.
The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease.
The BalaBit Products are Licensed only for internal business purposes in every case, under the condition that such License does not convey any license, expressly or by implication, to manufacture, duplicate or otherwise copy or reproduce any of the BalaBit Products. No other rights than expressly stated herein are granted to Licensee.
Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaBit may request, to inform them of and assure compliance with the restrictions contained in the License Contract.
BalaBit hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaBit Products in the Territory in accordance with the terms and for the duration of this License Contract.
BalaBit makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties in the Territory.
In case of negligent infringement of BalaBit’s rights with respect to the BalaBit
syslog-ng Premium Edition, committed by violating the
restrictions and limitations defined by this License Contract, Licensee shall pay
liquidated damages to BalaBit. The amount of the liquidated damages shall be twice as
much as the price of the BalaBit Product concerned, on BalaBit’s current Price
List.
BalaBit shall pay all damages, costs and reasonable attorney’s fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee’s authorized use of the BalaBit Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaBit in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaBit in connection with the defense of that claim. BalaBit shall have sole control of that defense (including without limitation the right to settle the claim).
If Licensee is prohibited from using any BalaBit Product due to an infringement claim, or if BalaBit believes that any BalaBit Product is likely to become the subject of an infringement claim, BalaBit shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaBit Product, (ii) replace or modify the BalaBit Product so as to make such BalaBit Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaBit Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee’s return of such BalaBit Product to BalaBit.
Notwithstanding the above, BalaBit will have no liability for any infringement claim to the extent that it is based upon: (i) modification of the BalaBit Product other than by BalaBit, (ii) use of the BalaBit Product in combination with any product not specifically authorized by BalaBit to be combined with the BalaBitProduct or (iii) use of the BalaBit Product in an unauthorized manner for which it was not designed.
The allowed maximum Number of the Log Source Hosts, the configuration and the modules licensed shall serve as the calculation base of the License fee.
Licensee acknowledges that payment of the License fees is a condition of lawful usage.
License fees do not contain any installation or post charges.
BalaBit warrants that during the Warranty Period, the magnetic or optical media upon which the BalaBit Product is recorded will not be defective under normal use. BalaBit will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaBit Product, BalaBit will at its option, deliver a replacement BalaBit Product or BalaBit's current equivalent to Licensee at no additional cost. BalaBit will bear the delivery charges to Licensee for the replacement Product.
In case of installation by BalaBit, BalaBit warrants that during the Warranty Period,
the BalaBit syslog-ng Premium Edition, under normal use in the
operating environment defined by BalaBit, and without unauthorized modification, will
perform in substantial compliance with the Product Documentation accompanying the
BalaBit Product, when used on that hardware for which it was installed, in compliance
with the provisions of the user manuals and the recommendations of BalaBit. The date of
the notification sent to BalaBit shall qualify as the date of the failure. Licensee
shall do its best to mitigate the consequences of that failure. If, during the Warranty
Period, the BalaBit Product fails to comply with this warranty, and such failure is
reported by Licensee to BalaBit within the Warranty Period, BalaBit’s sole obligation
and liability for breach of this warranty is, at BalaBit’s sole option, either: (i) to
correct such failure, (ii) to replace the defective BalaBit Product or (iii) to refund
the license fees paid by Licensee for the applicable BalaBit Product.
EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALABIT MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BALABIT SYSLOG-NG PREMIUM EDITION. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALABIT EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.
SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALABIT BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE BALABIT SYSLOG-NG PREMIUM EDITION EVEN IF BALABIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL BALABIT’S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE BALABIT SYSLOG-NG PREMIUM EDITION LICENSED UNDER THIS LICENSE CONTRACT.
This License Contract shall come into effect on the date of signature of the End-user Certificate by the duly authorized representative of BalaBit.
Licensee may terminate the License Contract at any time by written notice sent to BalaBit and by simultaneously destroying all copies of the Protected Objects licensed under this License Contract.
BalaBit may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.
Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorized representative of the parties to it.
The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.
If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.
Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).
Headings are for convenience only and shall be ignored in interpreting this License Contract.
This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaBit’s prior written consent. This consent shall not be unreasonably withheld or delayed.
An independent third party auditor, reasonably acceptable to BalaBit and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee’s relevant records in order to confirm that usage of the BalaBit syslog-ng Premium Edition complies with the terms and conditions of this License Contract. BalaBit shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee.
This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof.
Any modification of this License Contract must be in writing and signed by both parties.
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
-
Definitions
"Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
"Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
"Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.
"Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
"Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
"Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
"You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
"Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
"Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
-
License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,
to Distribute and Publicly Perform the Work including as incorporated in Collections.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).
-
Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.
You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
-
For the avoidance of doubt:
Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,
Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).
Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.
Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
Termination
This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
-
Miscellaneous
Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
- alias IP
An additional IP address assigned to an interface that already has an IP address. The normal and alias IP addresses both refer to the same physical interface.
- authentication
The process of verifying the authenticity of a user or client before allowing access to a network system or service.
- auditing policy
The auditing policy determines which events are logged on host running Microsoft Windows operating systems.
- BSD-syslog protocol
The old syslog protocol standard described in RFC 3164 http://www.ietf.org/rfc/rfc3164.txt. Sometimes also referred to as the legacy-syslog protocol.
- CA
A Certificate Authority (CA) is an institute that issues certificates.
- certificate
A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.
- client mode
In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay.
- destination
A named collection of configured destination drivers.
- destination driver
A communication method used to send log messages.
- destination, network
A destination that sends log messages to a remote host (i.e., a syslog-ng relay or server) using a network connection.
- destination, local
A destination that transfers log messages within the host, e.g., writes them to a file, or passes them to a log analyzing application.
- disk buffer
The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable.
- disk queue
See disk buffer.
- domain name
The name of a network, e.g.:
balabit.com.- embedded log statement
A log statement that is included in another log statement to create a complex log path.
- filter
An expression to select messages.
- gateway
A device that connect two or more parts of the network, e.g.: your local intranet and the external network (the Internet). Gateways act as entrances into other networks.
- high availability
High availability uses a second syslog-ng server unit to ensure that the logs are received even if the first unit breaks down.
- host
A computer connected to the network.
- hostname
A name that identifies a host on the network.
- IETF-syslog protocol
The syslog-protocol standard developed by the Internet Engineering Task Force (IETF), described in RFC 5424-5428 http://www.ietf.org/internet-drafts/draft-ietf-syslog-protocol-23.txt.
- key pair
A private key and its related public key. The private key is known only to the owner; the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.
- license
The syslog-ng license determines the number of distinct hosts (clients and relays) that can connect to the syslog-ng server.
- log path
A combination of sources, filters, parsers, rewrite rules, and destinations: syslog-ng examines all messages arriving to the sources of the logpath and sends the messages matching all filters to the defined destinations.
- logstore
A binary logfile format that can encrypt, compress, and timestamp log messages.
- LSH
See log source host.
- log source host
A host or network device (including syslog-ng clients and relays) that sends logs to the syslog-ng server. Log source hosts can be servers, routers, desktop computers, or other devices capable of sending syslog messages or running syslog-ng.
- log statement
See log path.
- name server
A network computer storing the IP addresses corresponding to domain names.
- Oracle Instant Client
The Oracle Instant Client is a small set of libraries, which allow you to connect to an Oracle Database. A subset of the full Oracle Client, it requires minimal installation but has full functionality.
- output buffer
A part of the memory of the host where syslog-ng stores outgoing log messages if the destination cannot accept the messages immediately.
- output queue
Messages from the output queue are sent to the target syslog-ng server. The syslog-ng application puts the outgoing messages directly into the output queue, unless the output queue is full. The output queue can hold 64 messages, this is a fixed value and cannot be modified.
- overflow queue
See output buffer.
- parser
A set of rules to segment messages into named fields or columns.
- ping
A command that sends a message from a host to another host over a network to test connectivity and packet loss.
- port
A number ranging from 1 to 65535 that identifies the destination application of the transmitted data. E.g.: SSH commonly uses port 22, web servers (HTTP) use port 80, etc.
- Public-key authentication
An authentication method that uses encryption key pairs to verify the identity of a user or a client.
- regular expression
A regular expression is a string that describes or matches a set of strings. The syslog-ng application supports extended regular expressions (also called POSIX modern regular expressions).
- relay mode
In relay mode, syslog-ng receives logs through the network from syslog-ng clients and forwards them to the central syslog-ng server using a network connection.
- rewrite rule
A set of rules to modify selected elements of a log message.
- template
A user-defined structure that can be used to restructure log messages or automatically generate file names.
- server mode
In server mode, syslog-ng acts as a central log-collecting server. It receives messages from syslog-ng clients and relays over the network, and stores them locally in files, or passes them to other applications, e.g., log analyzers.
- source
A named collection of configured source drivers.
- source, network
A source that receives log messages from a remote host using a network connection. The following sources are network sources:
tcp(),tcp6(),udp(),udp6().- source, local
A source that receives log messages from within the host, e.g., from a file.
- source driver
A communication method used to receive log messages.
- SSL
See TLS.
- syslog-ng
The syslog-ng application is a flexible and highly scalable system logging application, typically used to manage log messages and implement centralized logging.
- syslog-ng agent
The syslog-ng agent for Windows is a log collector and forwarder application for the Microsoft Windows platform. It collects the log messages of the Windows-based host and forwards them to a syslog-ng server using regular or SSL-encrypted TCP connections.
- syslog-ng client
A host running syslog-ng in client mode.
- syslog-ng Premium Edition
The syslog-ng Premium Edition is the commercial version of the open-source application. It offers additional features, like encrypted message transfer and an agent for Microsoft Windows platforms.
- syslog-ng relay
A host running syslog-ng in relay mode.
- syslog-ng server
A host running syslog-ng in server mode.
- TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet. The syslog-ng Premium Edition application can encrypt the communication between the clients and the server using TLS to prevent unauthorized access to sensitive log messages.
- traceroute
A command that shows all routing steps (the path of a message) between two hosts.
- unix domain socket
A Unix domain socket (UDS) or IPC socket (inter-procedure call socket) is a virtual socket, used for inter-process communication.