<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Initially sent to the wrong address....<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">Paul Hutton <<a href="mailto:paul_hutton@bigpond.com">paul_hutton@bigpond.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Syslog NG simple filtering not working as expected...</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">26 September 2013 11:23:15 PM AEST<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:syslog-ng-request@lists.balabit.hu">syslog-ng-request@lists.balabit.hu</a><br></span></div><br><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><font class="Apple-style-span" face="Arial" size="2">Hi All,</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">I am trying to forward network sourced syslogs to a number of destinations depending on a few simple filters, but am immediately coming unstuck. My constraint is that all incoming and outgoing network syslog traffic is udp. My intention in the configuration code below (apart from logging the localhost) is to:</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">1. Forward all incoming network sourced syslogs except those generated by two firewalls to destination Remote_L</font></div><div><font class="Apple-style-span" face="Arial" size="2">2. Forward incoming network syslogs that are generated by the firewalls to destination Remote_C (currently commented out)</font></div><div><font class="Apple-style-span" face="Arial" size="2">3. Forward all incoming network syslogs of severity 0, 1 and 2 to destinations Remote_D1 and Remote_D2 (currently commented out)</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">In addition all incoming network sourced syslogs are logged locally to destination d_logger and I've added another local file d_debug out of curiosity.</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">My problem is that with just the filter enabled at point 1 above and in the code below, the behaviour of syslog-ng is very erratic, beyond any reasonable anticipation of the unreliability of udp as the transport. If I comment out the filter line </font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2"> filter (not_firewalls);</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">in the code below, then test traffic (none of which is generated by the firewall sources) is received and forwarded correctly as well as logged locally. If I uncomment the filter, then I have seen test traffic forwarded correctly on one occasion, but it is mostly the case that some smaller subset (including none) of the test traffic is forwarded. In this case, the test traffic is also correctly written to the local destination d_debug. That is in the same rule that fails to forward the test traffic.</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">I am running 3.2.4 on Solaris 10 09/10 x86 obtained from the Sunfreeware site.</font></div><div><font class="Apple-style-span" face="Arial" size="2"><br></font></div><div><font class="Apple-style-span" face="Arial" size="2">I have also unashamedly plagiarised configuration code from a couple of posted sources, so if you recognise your work, thanks for putting it out there...</font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial">Thanks in advance.</font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial">Paul</font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial"><br></font></div><div><font size="2" face="Arial">@version: 3.2<br>@include "scl.conf"<br>options {<br> stats_level(3);<br> flush_lines(100);<br> flush_timeout(10000);<br>};<br>################################################################<br># Ensure syslog-ng logs this host similarly to syslogd <span class="954541801-24092013"> </span>#<br>################################################################<br>source s_local {<br> sun-streams("/dev/log" door("/etc/.syslog_door"));<br> internal();<br>};<br>#<br># Set global network source<br>#<br>source src {<br> udp(ip("0.0.0.0") port (514));<br>};</font></div><div> </div><div><font size="2" face="Arial">###############################################################<br># Local logfiles and remote destinations setup <span class="954541801-24092013"> </span> #<br>###############################################################<br>destination syslog {<br> file("/var/log/syslog");<br>};<br>destination messages {<br> file("/var/adm/messages");<br>};<br>destination loginlog {<br> file("/var/adm/loginlog");<br>};<br>#<br># Set remote destinations<br>#<br>destination Remote_<span class="954541801-24092013">L</span> {<br> udp ("10.<span class="954541801-24092013">octet</span>.<span class="954541801-24092013">octet</span>.<span class="954541801-24092013">octetL</span>" port (514) );<br>};<br>destination Remote_D1 {<br> udp ("10.<span class="954541801-24092013">octet.octet.octetD1</span>" port (514) spoof_source (yes));<br>};<br>destination Remote_D2 {<br> udp ("10.<span class="954541801-24092013">octet.octet.octetD2</span>" port (514) spoof_source (yes));<br>};<br>destination Remote_C {<br> udp ("10.<span class="954541801-24092013">octet.octet.octetC</span>" port (514) spoof_source (yes));<br>};<br>#<br># Set local destination for all remote syslog input<br>#<br>destination d_<span class="954541801-24092013">logger</span> {<br> file("/var/log/<span class="954541801-24092013">logger</span>.log");<br>};</font></div><div><font face="Arial"><font size="2"><span class="954541801-24092013"></span>#</font></font></div><div><span class="954541801-24092013"></span><font size="2" face="Arial">#<span class="954541801-24092013"> Add another local debug file to check filters are working</span></font></div><div><span class="954541801-24092013"></span><font face="Arial"><font size="2"><span class="954541801-24092013"></span>#</font></font></div><div><span class="954541801-24092013"></span><font size="2" face="Arial">d<span class="954541801-24092013">estination d_debug {</span></font></div><div><span class="954541801-24092013"></span><font face="Arial"><font size="2"><span class="954541801-24092013"> file("/var/log/debug.log");</span></font></font></div><div><span class="954541801-24092013"></span><font size="2" face="Arial">}<span class="954541801-24092013">;</span><br>##############################################################<br># Filters for mimicking Solaris syslogd <span class="954541801-24092013"> </span> #<br># identifying firewall syslogs <span class="954541801-24092013"> </span> #<br># identifying severity levels 0 to 2 <span class="954541801-24092013"> </span>#<br>##############################################################<br>filter f_syslog {<br> facility(mail) or (facility(daemon) and priority(notice));<br>};<br>filter f_messages {<br> priority(err)<br> or facility(kern)<br> or (facility(user) and priority(err))<br> or (facility(daemon) and priority(notice))<br> or (facility(mail) and priority(crit));<br>};<br>filter f_auth {<br> facility (auth);<br>};</font></div><div> </div><div><font size="2" face="Arial">#<br># Set Firewall Filters<br>#<br>filter firewalls {<br> host("10.<span class="954541801-24092013">octet.octet.octetfw1</span>") or host("10.<span class="954541801-24092013">octet.octet.octetfw2</span>");<br>};<br>filter not_firewalls {<br> not (host("10.<span class="954541801-24092013">octet.octet.octetfw1</span>") or host("10.<span class="954541801-24092013">octet.octet.octetfw2</span>"));<br>};</font></div><div> </div><div><font size="2" face="Arial">#<br># Filter Severity Levels 0, 1 and 2<br>#<br>filter f_crit {<br> level (crit .. emerg);<br>};<br>##############################################################<br># Now do some logging #<br>##############################################################</font></div><div> </div><div><font size="2" face="Arial">#<br># Log local syslog data appropriately<br>#<br>log {<br> source(s_local);<br> filter(f_syslog);<br> destination(syslog);<br>};<br>log {<br> source(s_local);<br> filter(f_messages);<br> destination(messages);<br>};<br>log {<br> source(s_local);<br> filter(f_auth);<br> destination(loginlog);<br>};</font></div><div> </div><div><font size="2" face="Arial">#<br># Log remotely sourced syslogs of all Severity Levels to remote <span class="954541801-24092013">L</span> system<br># but exclude syslogs from the firewalls<br>#<br>log {<br> source (src);<br> filter (not_firewalls);<br> destination (Remote_<span class="954541801-24092013">L</span>);<br> destination (<span class="954541801-24092013">d_</span>debug);<br>};<br>#<br># Log remotely sourced syslogs of Severity Levels 0 to 2 to remote D systems<br># including syslogs from the firewalls<br>#<br>#log {<br># source (src);<br># filter (f_crit);<br># destination (Remote_D1);<br># destination (Remote_D2);<br>#};<br>#<br># Log remotely sourced syslogs from the two firewalls to remote C<span class="954541801-24092013"> </span>system<br>#<br>#log {<br> #source (src);<br> #filter (firewalls);<br># destination (Remote_C);<br>#};<br>#<br># Log remotely sourced syslogs to a local file<br>#<br>log {<br> source (src);<br> destination (d_<span class="954541801-24092013">logger</span>);<br>};<br><br></font></div><div> </div><div><br></div></div></blockquote></div><br></body></html>