[syslog-ng] sylog-ng filters not working
SZIGETVÁRI János
jszigetvari at gmail.com
Wed Aug 3 22:18:37 CEST 2016
Hello Christian,
I just noticed that you seem to be using two network sources configured to
use the same IP and port settings.
You should move the src_MYAPP source to a different port, because the two
are conflicting.
Furthermore, you could try removing the quotes from the f_devenv_04net
stanza. (Although I don't expect any significant changes in syslog-ng's
behavior because of this.)
Which is the generic destination you were referring to earlier? Is it
perhaps d_MYAPP? (Or another one?)
Regards,
János
2016-08-03 19:50 GMT+02:00 Christian Turner <cturner at highroads.com>:
> @version: 3.2
>
> #Default configuration file for syslog-ng.
>
> #
>
> # For a description of syslog-ng configuration file directives, please read
>
> # the syslog-ng Administrator's guide at:
>
> #
>
> # https://www.balabit.com/support/documentation
>
> #
>
> @include "scl.conf"
>
>
>
> options {
>
> flush_lines (0);
>
> time_reopen (10);
>
> log_fifo_size (2048);
>
> chain_hostnames (off);
>
> use_dns (no);
>
> use_fqdn (no);
>
> create_dirs (yes);
>
> keep_hostname (no);
>
> stats_freq(86400);
>
> };
>
>
>
> source s_sys {
>
> file ("/proc/kmsg" program_override("kernel: "));
>
> unix-stream ("/dev/log");
>
> internal();
>
> };
>
>
>
> ### MYAPP Dev Logs ###
>
>
>
> ## DEVENV ##
>
> source src_devenv { udp(ip(0.0.0.0) port(514)); };
>
>
>
> filter f_devenv_01ui { netmask(10.22.206.0/24); };
>
> filter f_devenv_02gw { netmask(10.22.207.0/24); };
>
> filter f_devenv_03api { netmask(10.22.208.0/24); };
>
> filter f_devenv_04net { netmask( "10.22.209.0/24" ); };
>
> filter f_devenv_05bat { netmask(10.22.210.0/24); };
>
>
>
> destination d_devenv_01ui {
> file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); };
>
> destination d_devenv_02gw {
> file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); };
>
> destination d_devenv_03api {
> file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); };
>
> destination d_devenv_04net {
> file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
>
> destination d_devenv_05bat {
> file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); };
>
>
>
> log {
> source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); };
>
> log {
> source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); };
>
> log {
> source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); };
>
> log {
> source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net);
> flags(final); };
>
> log {
> source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); };
>
>
>
> ## MYAPP ALL ##
>
> source src_MYAPP { udp(ip(0.0.0.0) port(514)); };
>
> destination d_MYAPP {
> file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); };
>
> log { source(src_MYAPP); destination(d_MYAPP); };
>
>
>
>
>
>
>
> #source external { tcp(); };
>
> #source external { udp(); };
>
>
>
> #destination d_hosts { file("/home/syslog/$HOST/application.log"
> owner("syslog") group("syslog") perm(0600)); };
>
>
>
> destination d_mesg { file("/var/log/messages"); };
>
> #destination d_cons { file("/dev/console"); };
>
> #destination d_auth { file("/var/log/secure"); };
>
> #destination d_mail { file("/var/log/maillog" flush_lines(10)); };
>
> #destination d_spol { file("/var/log/spooler"); };
>
> #destination d_boot { file("/var/log/boot.log"); };
>
> #destination d_cron { file("/var/log/cron"); };
>
> #destination d_kern { file("/var/log/kern"); };
>
> #destination d_mlal { usertty("*"); };
>
> #destination d_all { file("/var/log/splunk"); };
>
>
>
> log { source(s_sys); destination(d_mesg); };
>
> #log { source(external); destination(d_hosts); };
>
>
>
>
>
> *From:* Christian Turner
> *Sent:* Wednesday, August 3, 2016 11:53 AM
> *To:* 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
> *Subject:* RE: sylog-ng filters not working
>
>
>
> Hi,
>
>
>
> I have the following filter configured;
>
>
>
> source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
>
> filter f_devenv01_04net { netmask(10.22.209.0/24); };
>
> destination d_devenv_04net {
> file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
>
> log {
> source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net);
> flags(final); };
>
>
>
> However, the filter does not work, and the logs from this source all go to
> the generic logging destination.
>
>
>
> I perform an strace and I can see that the IP appears as expected, so I’m
> figuring I have a syntax error somewhere;
>
>
>
> [pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1
> [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785),
> sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
>
>
>
> *Christian Turner*
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
E-mail: jszigetvari at gmail.com
Phone: +36209440412 (Hungary)
__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160803/bf300998/attachment-0001.htm
More information about the syslog-ng
mailing list