<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The syslog server has to listen on the
ipaddress:port combination.<br>
The solaris hosts need to syslog to the new ipaddress:port
combination.<br>
<br>
Since I don't know how you are processing your log lines in your
syslog-ng configuration it is difficult to provide a lot of
guidance, but here are a couple of examples.<br>
<br>
---- option #1<br>
Using a completely different source. - you must fill in the IP
addresses and port numbers<br>
<br>
source s_regular_syslog {<br>
tcp(localip(regularIP) port(regularPort)
max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
tags("regular_syslog") );<br>
};<br>
<br>
source s_solaris_syslog {<br>
tcp(localip(solarisIP) port(solarisPort)
max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
tags("solaris_syslog") );<br>
};<br>
<br>
<br>
log { source(s_regular_syslog);
destination(d_regular_destination); };<br>
log { source(s_solaris_syslog); destination(d_solaris_syslog); };<br>
<br>
<br>
---- option #2<br>
Using a tagged source. - you must fill in the IP addresses and
port numbers<br>
<br>
source s_all_syslog {<br>
tcp(localip(regularIP) port(regularPort)
max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
tags("regular_syslog") );<br>
tcp(localip(solarisIP) port(solarisPort)
max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
tags("solaris_syslog") );<br>
};<br>
<br>
filter f_solaris { tags("solaris_syslog"); };<br>
<br>
log {<br>
source(s_all_syslog)<br>
log { filter(f_solaris); destination(d_solaris_syslog);
flags(final); };<br>
log { destination(d_regular_destination); };<br>
};<br>
<br>
<br>
<br>
I hope that gives you the basics of what is needed.<br>
<br>
On 10/29/2015 12:41 PM, vijay amruth wrote:<br>
</div>
<blockquote
cite="mid:CA+aSzChLE4MRueiUeo2DCyZkPguMMmzE5JDaKmj3VJn+t2a_7A@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">Thank you Evan, great idea!
<div>Can we achieve this with regex on syslog-ng.conf file on
the server side?</div>
<div><br>
</div>
<div>Thank you,</div>
<div>~Vj</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 29, 2015 at 12:25 PM, Evan
Rempel <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>You could use a second interface on the syslog
servers and configure the solaris servers to use this
alternate IP address.<br>
You could also use a different port.<br>
Then you could tag the source with "solaris" and then
use the tag filtering to separate those message out of
the mix.<br>
<br>
Just my $0.02
<div>
<div class="h5"><br>
<br>
On 10/29/2015 12:22 PM, vijay amruth wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Thank you fo rthe reply Balazs.
<div><br>
</div>
<div>Can we use filter functions like this below ?</div>
<div><br>
</div>
<div>
<div>filter f_solaris {</div>
<div> host('uname == solaris') }</div>
</div>
<div><br>
</div>
<div>My idea is to identify solaris servers.</div>
<div><br>
</div>
<div>Thanks all,</div>
<div>~Vj</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 29, 2015 at
12:59 AM, Balazs Scheidler <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bazsi77@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bazsi77@gmail.com">bazsi77@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<p dir="ltr">Well, probably the only sensible
way is to filter based on IP addresses.<br>
</p>
<div class="gmail_quote">
<div>
<div>On Oct 29, 2015 6:09 AM, "vijay
amruth" <<a moz-do-not-send="true"
href="mailto:vijayamruth@gmail.com"
target="_blank">vijayamruth@gmail.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr"><span
style="font-size:12.8px">Hello
All,</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">We are
drawing logs from several hosts
which include solaris(10,11) ,
linux (centos, ubuntu, rhel) into
syslog servers, I want to be able
to separate solaris logs, is there
any pattern we can match for
solaris logs that you may know ?
<div><br>
</div>
<div>
<div dir="ltr">Thanks,
<div>Vijay Amrut.</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>Thanks,
<div>Vijay Amrut.</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
</blockquote>
<br>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>Thanks,
<div>Vijay Amrut.</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="500">--
Evan Rempel <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>
Senior Systems Administrator 250.721.7691
Data Centre Services, University Systems, University of Victoria
</pre>
</body>
</html>