syslog-ng-anon

This patch adds the capability to syslog-ng that allows you to strip out any given regular expression or all IP addresses from log messages before they are written to disk. The goal is to give the system administrator the means to implement site logging policies by allowing them easy control over exactly what data they retain in their logfiles, regardless of what a particular daemon might think is best.

For example, when enabled for a particular log file, this patch could be used to convert:

imaplogin: LOGIN, user=myuser, ip=[69.90.134.200], protocol=IMAP

into this:

imaplogin: LOGIN, user=myuser, ip=[0.0.0.0], protocol=IMAP

Data retention has become a hot legal topic for ISPs and other Online Service Providers (OSPs). There are many instances where it is preferable to keep less information on users than is collected by default on many systems. In the United States, there is currently no requirement to retain data on users of a server, but you may be required to provide all data on a user which you have retained. OSPs can protect themselves from legal hassles and added work by choosing what data they wish to retain.

Here are some related links:

Best Practices for Online Service Providers
EPIC International Data Retention Page
Working Paper on Usage Log Data Management (from Computer, Freedom, and Privacy conference)

installing the package

This patch is currently included with debian (in sarge since June 9 2005). So, if you are running debian 4.0 or later, simply run "apt-get install syslog-ng."

applying the patch

If you wish to compile your own version of syslog-ng with this patch, follow these instructions.

This patch has been tested against the following versions of syslog-ng:

version 1.6.5
version 1.6.7
Debian package syslog-ng_1.6.5-2
Debian package syslog-ng_1.6.7-1

To use this patch, obtain the source for syslog-ng, and the latest syslog-ng-anon patch. Uncompress the syslog-ng source and then apply the patch:

% tar -zxvf syslog-ng.tar.gz


% cd syslog-ng


% patch -p1 < syslog-ng-anon.diff

Then compile and install syslog-ng as normal.

how to use it

This patch adds the filter "strip". For example:

filter f_strip { strip(<regexp>); };

This will strip out all matches of the regular expression on logs to which the filter is applied and replaces all matches with the fixed length four dashes ("----").

In place of a regular expression, you can put "ips", which will replace all internet addresses with 0.0.0.0. For example:

filter f_mail { facility(mail) and strip(ips); };

You can alter what the replacement strings are by using replace:

replace(ips,"0.0.0.0") <--- this is the same as strip(ips)


replace(<regex>,"----") <--- this is the same as strip(regex)

For a complete example, see our sample syslog-ng.conf file.