<div dir="ltr">Thank you Evan.<div><br></div><div>Right now, we add a solaris server everytime we spin one,</div><div><br></div><div>its like this,</div><div><br></div><div><div>filter f_solaris {</div><div>        host(&#39;x.x.x.x&#39;) or host(&#39;x.x.x.2&#39;) or</div><div>        host(&#39;x.x.x.3&#39;) or host(&#39;x.x.x.4&#39;) or</div></div><div>        host(&#39;hostname1) or (hostname2)</div><div>        }</div><div><br></div><div>So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip.</div><div>I want to be able to automate with filter functions and or regex so that I don&#39;t have to add manually to the config file on the server everytime.</div><div>There is a similar config for linux hosts too<br></div><div><br></div><div>Hope I am clear. Appreciate you taking your time out for this.</div><div><br></div><div>~Vj</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    <div>The syslog server has to listen on the

      ipaddress:port combination.<br>

      The solaris hosts need to syslog to the new ipaddress:port

      combination.<br>

      <br>

      Since I don&#39;t know how you are processing your log lines in your

      syslog-ng configuration it is difficult to provide a lot of

      guidance, but here are a couple of examples.<br>

      <br>

      ---- option #1<br>

      Using a completely different source. - you must fill in the IP

      addresses and port numbers<br>

      <br>

      source s_regular_syslog {<br>

              tcp(localip(regularIP) port(regularPort)

      max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)

      tags(&quot;regular_syslog&quot;) );<br>

              };<br>

      <br>

      source s_solaris_syslog {<br>

              tcp(localip(solarisIP) port(solarisPort)

      max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)

      tags(&quot;solaris_syslog&quot;) );<br>

              };<br>

      <br>

      <br>

      log { source(s_regular_syslog);

      destination(d_regular_destination); };<br>

      log { source(s_solaris_syslog); destination(d_solaris_syslog); };<br>

      <br>

      <br>

      ---- option #2<br>

      Using a tagged source. - you must fill in the IP addresses and

      port numbers<br>

      <br>

      source s_all_syslog {<br>

              tcp(localip(regularIP) port(regularPort)

      max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)

      tags(&quot;regular_syslog&quot;) );<br>

              tcp(localip(solarisIP) port(solarisPort)

      max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)

      tags(&quot;solaris_syslog&quot;) );<br>

              };<br>

      <br>

      filter f_solaris { tags(&quot;solaris_syslog&quot;); };<br>

      <br>

      log {<br>

          source(s_all_syslog)<br>

          log { filter(f_solaris); destination(d_solaris_syslog);

      flags(final); };<br>

      log { destination(d_regular_destination); };<br>

      };<br>

      <br>

      <br>

      <br>

      I hope that gives you the basics of what is needed.<div><div class="h5"><br>

      <br>

      On 10/29/2015 12:41 PM, vijay amruth wrote:<br>

    </div></div></div><div><div class="h5">

    <blockquote type="cite">

      <div dir="ltr">Thank you Evan, great idea!

        <div>Can we achieve this with regex on syslog-ng.conf file on

          the server side?</div>

        <div><br>

        </div>

        <div>Thank you,</div>

        <div>~Vj</div>

      </div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On Thu, Oct 29, 2015 at 12:25 PM, Evan

          Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000">

              <div>You could use a second interface on the syslog

                servers and configure the solaris servers to use this

                alternate IP address.<br>

                You could also use a different port.<br>

                Then you could tag the source with &quot;solaris&quot; and then

                use the tag filtering to separate those message out of

                the mix.<br>

                <br>

                Just my $0.02

                <div>

                  <div><br>

                    <br>

                    On 10/29/2015 12:22 PM, vijay amruth wrote:<br>

                  </div>

                </div>

              </div>

              <div>

                <div>

                  <blockquote type="cite">

                    <div dir="ltr">Thank you fo rthe reply Balazs.

                      <div><br>

                      </div>

                      <div>Can we use filter functions like this below ?</div>

                      <div><br>

                      </div>

                      <div>

                        <div>filter f_solaris {</div>

                        <div>        host(&#39;uname == solaris&#39;) }</div>

                      </div>

                      <div><br>

                      </div>

                      <div>My idea is to identify solaris servers.</div>

                      <div><br>

                      </div>

                      <div>Thanks all,</div>

                      <div>~Vj</div>

                    </div>

                    <div class="gmail_extra"><br>

                      <div class="gmail_quote">On Thu, Oct 29, 2015 at

                        12:59 AM, Balazs Scheidler <span dir="ltr">&lt;<a href="mailto:bazsi77@gmail.com" target="_blank"></a><a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>&gt;</span>

                        wrote:<br>

                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

                          <p dir="ltr">Well, probably the only sensible

                            way is to filter based on IP addresses.<br>

                          </p>

                          <div class="gmail_quote">

                            <div>

                              <div>On Oct 29, 2015 6:09 AM, &quot;vijay

                                amruth&quot; &lt;<a href="mailto:vijayamruth@gmail.com" target="_blank">vijayamruth@gmail.com</a>&gt;

                                wrote:<br type="attribution">

                              </div>

                            </div>

                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

                              <div>

                                <div>

                                  <div dir="ltr"><span style="font-size:12.8px">Hello

                                      All,</span>

                                    <div style="font-size:12.8px"><br>

                                    </div>

                                    <div style="font-size:12.8px">We are

                                      drawing logs from several hosts

                                      which include solaris(10,11) ,

                                      linux (centos, ubuntu, rhel) into

                                      syslog servers, I want to be able

                                      to separate solaris logs, is there

                                      any pattern we can match for

                                      solaris logs that you may know ?

                                      <div><br>

                                      </div>

                                      <div>

                                        <div dir="ltr">Thanks,

                                          <div>Vijay Amrut.</div>

                                        </div>

                                      </div>

                                    </div>

                                  </div>

                                  <br>

                                </div>

                              </div>

______________________________________________________________________________<br>

                              Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                              Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                              FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                              <br>

                              <br>

                            </blockquote>

                          </div>

                          <br>

______________________________________________________________________________<br>

                          Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                          Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                          FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                          <br>

                          <br>

                        </blockquote>

                      </div>

                      <br>

                      <br clear="all">

                      <div><br>

                      </div>

                      -- <br>

                      <div>

                        <div dir="ltr">

                          <div>Thanks,

                            <div>Vijay Amrut.</div>

                          </div>

                        </div>

                      </div>

                    </div>

                    <br>

                    <fieldset></fieldset>

                  </blockquote>

                  <br>

                </div>

              </div>

            </div>

            <br>

______________________________________________________________________________<br>

            Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

            Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

            FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

            <br>

            <br>

          </blockquote>

        </div>

        <br>

        <br clear="all">

        <div><br>

        </div>

        -- <br>

        <div>

          <div dir="ltr">

            <div>Thanks,

              <div>Vijay Amrut.</div>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      <pre>______________________________________________________________________________

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>

    </blockquote>

    <br>

    <br>

    </div></div><span class="HOEnZb"><font color="#888888"><pre cols="500">-- 

Evan Rempel                                      <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>

Senior Systems Administrator                        <a href="tel:250.721.7691" value="+12507217691" target="_blank">250.721.7691</a>

Data Centre Services, University Systems, University of Victoria 

</pre>

  </font></span></div>

<br>______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Thanks,<div>Vijay Amrut.</div></div></div></div>

</div>