<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
<p class="MsoNormal">Greetings;<br>
<br>
My setup works well with one exception, my filtering rules contained in my
syslog-ng.conf do not appear to work properly. My logs are not lost,
instead they end up in a directory which I did not intend them to be in. <br><br>Background: I log to a MySql DB, flatfiles and finally, to SEC, which parses stuff and takes various actions (almost working ;-)<br></p><p class="MsoNormal"><br>For ease of reading, I will simply add the contents of my config file which
pertains to just one filter.</p><p class="MsoNormal">Many thanks in advance for taking the time to read and help me.<br><br>.vp<br></p><p class="MsoNormal">
<br>
############<br>
# OPTIONS #<br>
############<br>
<br>
options<br>
{<br>
chain_hostnames(no);<br>
create_dirs (yes);<br>
dir_perm(0755);<br>
use_dns (yes);<br>
dns_cache(yes);<br>
dns_cache_size(1000);<br>
dns_cache_expire(604800);<br>
keep_hostname(yes);<br>
log_fifo_size(10000);<br>
log_msg_size(8192);<br>
long_hostnames(on);<br>
perm(0644);<br>
stats(3600);<br>
sync(0);<br>
time_reopen (10);<br>
use_dns(yes);<br>
use_fqdn(yes);<br>
};<br>
<br>
############<br>
# SOURCES #<br>
############<br>
<br>
source S_dgram<br>
{ unix-dgram("/dev/log"); };<br>
<br>
source S_internal<br>
{ internal(); };<br>
<br>
source S_kernel<br>
{ file("/proc/kmsg" log_prefix("kernel: ")); };<br>
<br>
source S_tcp<br>
{ tcp(port(4800) keep-alive(yes) max_connections(100)); };<br>
<br>
source S_udp { udp(ip("0.0.0.0") port(514)); };<br>
<br>
###############<br>
# DEST SQL DB #<br>
###############<br>
<br>
destination D_db_mysql {<br>
pipe("/var/log/mysql.pipe"<br>
template("INSERT INTO logs<br>
(host, facility, priority, level, tag, datetime, program, msg)<br>
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC',<br>
'$PROGRAM', '$MSG' );\n") template-escape(yes));<br>
};<br>
<br>
##############<br>
# DESTINATIONS #<br>
##############<br>
<br>
destination D_authlog {
file("/var/log/auth.log"); };<br>
destination D_bootlog {
file("/var/log/boot.log"); };<br>
destination D_debug {
file("/var/log/debug"); };<br>
destination D_explan {
file("/var/log/explanations"); };<br>
destination D_messages {
file("/var/log/messages"); };<br>
destination D_secure {
file("/var/log/secure"); };<br>
destination D_spooler {
file("/var/log/spooler"); };<br>
destination D_syslog {
file("/var/log/syslog"); };<br>
destination D_user
{ file("/var/log/user.log"); };<br>
<br>
destination D_switch { file("/var/log/MyHosts/Switches/$FULLHOST.log"<br>
perm(0644)); };<br>
destination D_edge {
file("/var/log/MyHosts/EdgeDevices/$FULLHOST.log"<br>
perm(0644)); };<br>
destination D_firewall { file("/var/log/MyHosts/Firewalls/$FULLHOST.log"<br>
owner(root) group(root) perm(0644) dir_perm(0700) create_dirs(yes)); };<br>
destination D_router { file("/var/log/MyHosts/Routers/$FULLHOST.log"<br>
perm(0644)); };<br>
destination D_accesspoints { file("/var/log/MyHosts/AccessPoints/$FULLHOST.log"<br>
perm(0644)); };<br>
destination D_mailservers { file("/var/log/MyHosts/MailServers/$FULLHOST.log"<br>
perm(0644)); };<br>
<br>
###########<br>
# FILTERS #<br>
###########<br>
<br>
filter
F_auth { facility(auth,
authpriv); };<br>
filter F_authpriv {
facility(authpriv); };<br>
filter
F_cron { facility(cron); };<br>
filter
F_daemon { facility(daemon); };<br>
filter
F_kern { facility(kern); };<br>
filter
F_local1 { facility(local1); };<br>
filter
F_local2 { facility(local2); };<br>
filter
F_local3 { facility(local3); };<br>
filter
F_local4 { facility(local4); };<br>
filter
F_local5 { facility(local5); };<br>
filter
F_local6 { facility(local6); };<br>
filter
F_local7 { facility(local7); };<br>
filter
F_lpr { facility(lpr); };<br>
filter
F_mail { facility(mail); };<br>
filter F_messages {
facility(daemon, kern, user); };<br>
filter
F_news { facility(news); };<br>
filter F_spooler {
facility(uucp,news) and level(crit); };<br>
filter
F_syslog { not facility(auth, authpriv) and
not facility(mail); };<br>
filter
F_user { facility(user); };<br>
<br>
filter
F_crit { level(crit); };<br>
filter
F_debug { level(debug); };<br>
filter F_emergency {
level(emerg); };<br>
filter
F_err { level(err); };<br>
filter
F_info { level(info); };<br>
filter
F_notice { level(notice); };<br>
filter
F_warn { level(warn); };<br>
<br>
filter F_edge {
host("edge*") or host("122.21.*"); };<br>
filter F_router { host("gw*") or
host("rtr") or host("mmsc"); };<br>
filter F_switch { host("sw*") or
host("sw1") or host("sw2"); };<br>
filter F_firewall { host("^fw*") or
host("^mlm*-*") or host("^cm*"); };<br>
filter F_dc {
host("^mydc*") or host("^dc*"); };<br>
filter F_accesspoints { host("^melanie*"); };<br>
filter F_mailservers { host("^mail*") or host("^smtpgw*");
};<br>
filter F_proxies { host("^proxygw*");
};<br>
filter F_InternetIP { host("161.17.10.*"); };<br>
<br>
##############<br>
#
LOGS
#<br>
##############<br>
<br>
log { source(S_udp); destination(D_db_mysql); };<br>
<br>
# Send ALL logs to SEC<br>
<br>
# log { source(S_dgram); source(S_internal); source(S_tcp); filter(F_auth);
destination(D_sec); };<br>
<br>
# log { source(S_udp); source(S_tcp); destination(D_sec); };<br>
<br>
log { source(S_udp); destination(D_sec); };<br>
<br>
###<br>
<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_auth); destination(D_authlog);
flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_local7); destination(D_bootlog); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_local1); destination(D_explan); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_local5); destination(D_router); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_messages); destination(D_messages); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_authpriv); destination(D_secure); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_spooler); destination(D_spooler); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_kernel);<br>
source(S_tcp);
filter(F_syslog); destination(D_syslog); flags(final); };<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_user); destination(D_user);
flags(final); };<br>
<br>
log { source(S_dgram);<br>
source(S_internal);<br>
source(S_kernel);<br>
source(S_tcp);
destination(D_hosts); flags(final); };<br>
<br>
log { source(S_udp); filter(F_switch); destination(D_switch); flags(final); };<br>
log { source(S_udp); filter(F_firewall); destination(D_firewall); flags(final);
};<br>
log { source(S_udp); filter(F_router); destination(D_router); flags(final); };<br>
log { source(S_udp); filter(F_edge); destination(D_edge); flags(final); };<br>
log { source(S_udp); filter(F_dc); destination(D_dc); flags(final); };<br>
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints);
flags(final); };<br>
log { source(S_udp); filter(F_proxies); destination(D_proxies); flags(final);
};<br>
log { source(S_udp); filter(F_mailservers); destination(D_mailservers);
flags(final); };<br>
<br>
log { source(S_udp); destination(D_udp);};<br>
<br>
<br style="">
<!--[if !supportLineBreakNewLine]--><br style="">
<!--[endif]--></p>
</body>
</html>