<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
One way to check would be to have syslog-ng use the host macro as
part of the directory (or file) name and let it create directories
(or files) for every host it hears from like this:<br>
<br>
change create_dirs(yes) <br>
<br>
and create a destination that will use information it parses out of
the received logs in the filenames:<br>
<br>
destination d_separatedbyhosts {<br>
file( "/var/log/$HOST/$HOST.$FACILITY.$SEVERITY.$YEAR.$MONTH.$DAY"
);<br>
}<br>
<br>
then don't filter at all - just let syslog-ng create at will.<br>
<br>
While this may not be what you want eventually, it would let
syslog-ng create files for any host it hears from, and that might
show you how the $HOST macro is being parsed.<br>
<br>
Jim<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 08/24/2014 01:33 PM, Jason Long
wrote:<br>
</div>
<blockquote
cite="mid:1408901581.34114.YahooMailNeo@web120404.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:12pt">
<div class="" style="">Hello all.</div>
<div class="" style="">I have a Windows Box that want to forward
all Even logs to my Linux box. I install Snare on Windows(<span
style="font-size: 12pt;" class="">172.30.10.19)</span><span
style="font-size: 12pt;" class=""> and configure it to
forward logs to Linux and my Linux box receive it properly.
When I use " tcpdump udp "port 514" ", Tcpdump show me that
Snare sending Logs to Linux but Syslog-ng can't write it to
log files :(. I paste my syslog-ng configure :</span></div>
<div class="" style=""><br class="" style="">
</div>
<div style="background-color: transparent;" class="">options {</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>flush_lines (0);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>time_reopen (10);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>log_fifo_size
(1000);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>long_hostnames
(off);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>use_dns (no);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>use_fqdn (no);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>create_dirs (no);</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>keep_hostname
(yes);</div>
<div style="background-color: transparent;" class="">};</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">source
s_sys {</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>file ("/proc/kmsg"
program_override("kernel: "));</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>unix-stream
("/dev/log");</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>internal();</div>
<div style="background-color: transparent;" class=""><span
class="" style="white-space:pre"> </span>#udp(ip(0.0.0.0)
port(514));</div>
<div style="background-color: transparent;" class="">};</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">#source
s_net {</div>
<div style="background-color: transparent;" class="">#udp
(ip(172.30.10.19) port(514));</div>
<div style="background-color: transparent;" class="">#};</div>
<div style="background-color: transparent;" class="">source
s_net { udp(); };</div>
<div style="background-color: transparent;" class="">filter
f_openwrt { host("172.30.10.19");};</div>
<div style="background-color: transparent;" class="">destination
df_openwrt { file("/var/log/winlog/win.log"); };</div>
<div style="background-color: transparent;" class="">log {
source ( s_net ); filter( f_openwrt ); destination (
df_openwrt ); };</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">destination
d_cons { file("/dev/console"); };</div>
<div style="background-color: transparent;" class="">destination
d_mesg { file("/var/log/messages"); };</div>
<div style="background-color: transparent;" class="">destination
d_auth { file("/var/log/secure"); };</div>
<div style="background-color: transparent;" class="">destination
d_mail { file("/var/log/maillog" flush_lines(10)); };</div>
<div style="background-color: transparent;" class="">destination
d_spol { file("/var/log/spooler"); };</div>
<div style="background-color: transparent;" class="">destination
d_boot { file("/var/log/boot.log"); };</div>
<div style="background-color: transparent;" class="">destination
d_cron { file("/var/log/cron"); };</div>
<div style="background-color: transparent;" class="">destination
d_kern { file("/var/log/kern"); };</div>
<div style="background-color: transparent;" class="">destination
d_mlal { usertty("*"); };</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">filter
f_kernel { facility(kern); };</div>
<div style="background-color: transparent;" class="">filter
f_default { level(info..emerg) and</div>
<div style="background-color: transparent;" class="">
not (facility(mail)</div>
<div style="background-color: transparent;" class="">
or facility(authpriv) </div>
<div style="background-color: transparent;" class="">
or facility(cron)); };</div>
<div style="background-color: transparent;" class="">filter
f_auth { facility(authpriv); };</div>
<div style="background-color: transparent;" class="">filter
f_mail { facility(mail); };</div>
<div style="background-color: transparent;" class="">filter
f_emergency { level(emerg); };</div>
<div style="background-color: transparent;" class="">filter
f_news { facility(uucp) or</div>
<div style="background-color: transparent;" class="">
(facility(news) </div>
<div style="background-color: transparent;" class="">
and level(crit..emerg)); };</div>
<div style="background-color: transparent;" class="">filter
f_boot { facility(local7); };</div>
<div style="background-color: transparent;" class="">filter
f_cron { facility(cron); };</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">#log {
source(s_sys); filter(f_kernel); destination(d_cons); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_kernel); destination(d_kern); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_default); destination(d_mesg); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_auth); destination(d_auth); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_mail); destination(d_mail); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_emergency); destination(d_mlal); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_news); destination(d_spol); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_boot); destination(d_boot); };</div>
<div style="background-color: transparent;" class="">log {
source(s_sys); filter(f_cron); destination(d_cron); };</div>
<div style="background-color: transparent;" class=""><br
class="" style="">
</div>
<div style="background-color: transparent;" class="">#
vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:</div>
<div class="" style=""><br class="" style="">
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; font-style: normal; background-color:
transparent;" class=""><br class="" style="">
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; font-style: normal; background-color:
transparent;" class=""><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; font-style: normal; background-color:
transparent;" class="">Can you tell me how can I solve this
problem? </div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; font-style: normal; background-color:
transparent;" class=""><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; font-style: normal; background-color:
transparent;" class="">Cheers.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
</body>
</html>