[syslog-ng] Spock, Is my logic sound ?
Scot
scotrn at gmail.com
Tue Feb 16 15:22:40 CET 2016
I'm still getting stuff on nmsloghost that I think should be filtered out.
Do my comments match the conf file ?
*# Source UDP/TCP syslog port 514. *
source s_net {
udp(ip(0.0.0.0) port(514) so_rcvbuf(262142));
tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(262142)
log_iw_size(25000) );
};
*# Remove messages from 2 network segments *
filter f_network {not netmask("192.168.238.0/24") and not netmask("
192.168.239.0/24") ; };
*# Remove messages matching EITHER expression*
filter f_audit { not match("Audit" value("MESSAGE")) and
not match("Detailed Tracking"
value("MESSAGE")); };
*# Remove messages matching "The scan found detections" expression*
filter f_mcafee { not match("The scan found detections."
value("MESSAGE")); };
*# Destination rule suppress any duplicates in a 10 second window.
*destination
d_remote {udp ("nmsloghost" suppress(10)); };
*# Log from s_net and filter out all matches from f_* log udp to
nmsloghost. *
*# There is no function to "filter( not f_network);" *
log { source(s_net);
filter(f_network); filter(f_audit); filter(f_mcafee); destination
(d_remote);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160216/95651910/attachment.htm
More information about the syslog-ng
mailing list