[syslog-ng] Separating Remote Logs
Nate Hausrath
hausrath.mailing.list at gmail.com
Fri Jan 8 17:45:50 CET 2010
Thanks for your response.
I must be doing something else wrong, because after changing everything to .classifier.rule_id, all my logs are placed in the other.log file. Is there anything else that jumps out at you?
Thanks,
Nate
On Jan 7, 2010, at 1:27 PM, Martin Holste wrote:
> It should be ".classifier.rule_id" not ".classifier_rule_id."
>
> By the way, I find I need to use a rewrite template for Snare to
> normalize the program. I use:
>
> rewrite r_snare {
> subst("MSWinEventLog.+(Security|Application|System).+", "$1",
> value("PROGRAM") flags(global));
> };
>
> --Martin
>
> On Thu, Jan 7, 2010 at 11:56 AM, Nate Hausrath
> <hausrath.mailing.list at gmail.com> wrote:
>> Hi everyone,
>>
>> I've set up a central log server using syslog-ng that receives logs from many different locations on the network. I want to break these logs up into different files so I can using another program to parse and interpret each one individually. So for example, I want my Windows logs to go to /var/log/remote/windows.log, which my ASA logs go to /var/log/remote/asa.log. Anything that doesn't fit into a group should go to /var/log/remote/other.log.
>>
>> I'm trying to figure out the best way to do this. I was going to create a custom xml file for the db-parser, but I can't seem to get it to work the way I want. Here is my db-parser XML file so far:
>>
>> <?xml version='1.0' encoding='UTF-8'?>
>> <patterndb version='2' pub_date='2009-12-07'>
>> <ruleset name='capcxml' id='1923-ab2b'>
>> <pattern/>
>> <rules>
>> <rule provider='capc' id='1' class='system'>
>> <description>Detects ASA logs</description>
>> <patterns>
>> <pattern>%ASA</pattern>
>> </patterns>
>> </rule>
>> <rule provider='capc' id='2' class='system'>
>> <description>Detects Windows logs from Snare</description>
>> <patterns>
>> <pattern>MSWinEventLog</pattern>
>> </patterns>
>> </rule>
>> </rules>
>> </ruleset>
>> </patterndb>
>>
>> So my question is, how can I specify a filter in my syslog-ng.conf file that will allow me to separate logs from these two different rules? Along with that, how can I separate everything that doesn't match?
>>
>> For instance, I could have something like this:
>>
>> filter f_class_asa {
>> match("1"
>> value(".classifier_rule_id")
>> type("string")
>> );
>> };
>>
>> filter f_class_windows {
>> match("2"
>> value(".classifier_rule_id")
>> type("string")
>> );
>> };
>>
>> filter f_class_other {
>> not match("1" value(".classifier_rule_id") type("string"))
>> and not match("2" value(".classifier_rule_id") type("string"));
>> };
>>
>> log {
>> source(s_remote);
>> parser(p_capc);
>> filter(f_class_asa);
>> destination(df_asa);
>> };
>>
>> log {
>> source(s_remote);
>> parser(p_capc);
>> filter(f_class_windows);
>> destination(df_windows);
>> };
>>
>> log {
>> source(s_remote);
>> parser(p_capc);
>> filter(f_class_other);
>> destination(df_other);
>> };
>>
>> But this doesn't seem to work. Everything gets placed in the df_asa file.
>>
>> Am I approaching this the wrong way? Should I not use db-parser for this task?
>>
>> Thanks for any help!
>> Nate
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
More information about the syslog-ng
mailing list