<div dir="ltr">@Evan, Right now we are just adding the hosts manually to the syslog file if there is way by which I don&#39;t need to add the hosts manually to the file.<div><br></div><div>~Vijay</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    <div>Before I get too deep into how this is

      done, can I ask why you want to<br>

      separate your logs for solaris and linux?<div><div class="h5"><br>

      <br>

      <br>

      On 10/29/2015 01:06 PM, vijay amruth wrote:<br>

    </div></div></div>

    <blockquote type="cite"><div><div class="h5">

      <div dir="ltr">Thank you Evan.

        <div><br>

        </div>

        <div>Right now, we add a solaris server everytime we spin one,</div>

        <div><br>

        </div>

        <div>its like this,</div>

        <div><br>

        </div>

        <div>

          <div>filter f_solaris {</div>

          <div>        host(&#39;x.x.x.x&#39;) or host(&#39;x.x.x.2&#39;) or</div>

          <div>        host(&#39;x.x.x.3&#39;) or host(&#39;x.x.x.4&#39;) or</div>

        </div>

        <div>        host(&#39;hostname1) or (hostname2)</div>

        <div>        }</div>

        <div><br>

        </div>

        <div>So everytime we spin a server we just go and add it

          manually to the config file, either with its host name or the

          ip.</div>

        <div>I want to be able to automate with filter functions and or

          regex so that I don&#39;t have to add manually to the config file

          on the server everytime.</div>

        <div>There is a similar config for linux hosts too<br>

        </div>

        <div><br>

        </div>

        <div>Hope I am clear. Appreciate you taking your time out for

          this.</div>

        <div><br>

        </div>

        <div>~Vj</div>

        <div><br>

        </div>

        <div><br>

        </div>

      </div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On Thu, Oct 29, 2015 at 12:51 PM, Evan

          Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000">

              <div>The syslog server has to listen on the ipaddress:port

                combination.<br>

                The solaris hosts need to syslog to the new

                ipaddress:port combination.<br>

                <br>

                Since I don&#39;t know how you are processing your log lines

                in your syslog-ng configuration it is difficult to

                provide a lot of guidance, but here are a couple of

                examples.<br>

                <br>

                ---- option #1<br>

                Using a completely different source. - you must fill in

                the IP addresses and port numbers<br>

                <br>

                source s_regular_syslog {<br>

                        tcp(localip(regularIP) port(regularPort)

                max_connections(5000) log_fetch_limit(20000)

                log_iw_size(1000000) tags(&quot;regular_syslog&quot;) );<br>

                        };<br>

                <br>

                source s_solaris_syslog {<br>

                        tcp(localip(solarisIP) port(solarisPort)

                max_connections(5000) log_fetch_limit(20000)

                log_iw_size(1000000) tags(&quot;solaris_syslog&quot;) );<br>

                        };<br>

                <br>

                <br>

                log { source(s_regular_syslog);

                destination(d_regular_destination); };<br>

                log { source(s_solaris_syslog);

                destination(d_solaris_syslog); };<br>

                <br>

                <br>

                ---- option #2<br>

                Using a tagged source. - you must fill in the IP

                addresses and port numbers<br>

                <br>

                source s_all_syslog {<br>

                        tcp(localip(regularIP) port(regularPort)

                max_connections(5000) log_fetch_limit(20000)

                log_iw_size(1000000) tags(&quot;regular_syslog&quot;) );<br>

                        tcp(localip(solarisIP) port(solarisPort)

                max_connections(5000) log_fetch_limit(20000)

                log_iw_size(1000000) tags(&quot;solaris_syslog&quot;) );<br>

                        };<br>

                <br>

                filter f_solaris { tags(&quot;solaris_syslog&quot;); };<br>

                <br>

                log {<br>

                    source(s_all_syslog)<br>

                    log { filter(f_solaris);

                destination(d_solaris_syslog); flags(final); };<br>

                    log { destination(d_regular_destination); };<br>

                };<br>

                <br>

                <br>

                <br>

                I hope that gives you the basics of what is needed.

                <div>

                  <div><br>

                    <br>

                    On 10/29/2015 12:41 PM, vijay amruth wrote:<br>

                  </div>

                </div>

              </div>

              <div>

                <div>

                  <blockquote type="cite">

                    <div dir="ltr">Thank you Evan, great idea!

                      <div>Can we achieve this with regex on

                        syslog-ng.conf file on the server side?</div>

                      <div><br>

                      </div>

                      <div>Thank you,</div>

                      <div>~Vj</div>

                    </div>

                    <div class="gmail_extra"><br>

                      <div class="gmail_quote">On Thu, Oct 29, 2015 at

                        12:25 PM, Evan Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank"></a><a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span>

                        wrote:<br>

                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

                          <div bgcolor="#FFFFFF" text="#000000">

                            <div>You could use a second interface on the

                              syslog servers and configure the solaris

                              servers to use this alternate IP address.<br>

                              You could also use a different port.<br>

                              Then you could tag the source with

                              &quot;solaris&quot; and then use the tag filtering

                              to separate those message out of the mix.<br>

                              <br>

                              Just my $0.02

                              <div>

                                <div><br>

                                  <br>

                                  On 10/29/2015 12:22 PM, vijay amruth

                                  wrote:<br>

                                </div>

                              </div>

                            </div>

                            <div>

                              <div>

                                <blockquote type="cite">

                                  <div dir="ltr">Thank you fo rthe reply

                                    Balazs.

                                    <div><br>

                                    </div>

                                    <div>Can we use filter functions

                                      like this below ?</div>

                                    <div><br>

                                    </div>

                                    <div>

                                      <div>filter f_solaris {</div>

                                      <div>        host(&#39;uname ==

                                        solaris&#39;) }</div>

                                    </div>

                                    <div><br>

                                    </div>

                                    <div>My idea is to identify solaris

                                      servers.</div>

                                    <div><br>

                                    </div>

                                    <div>Thanks all,</div>

                                    <div>~Vj</div>

                                  </div>

                                  <div class="gmail_extra"><br>

                                    <div class="gmail_quote">On Thu, Oct

                                      29, 2015 at 12:59 AM, Balazs

                                      Scheidler <span dir="ltr">&lt;<a href="mailto:bazsi77@gmail.com" target="_blank"></a><a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>&gt;</span>

                                      wrote:<br>

                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

                                        <p dir="ltr">Well, probably the

                                          only sensible way is to filter

                                          based on IP addresses.<br>

                                        </p>

                                        <div class="gmail_quote">

                                          <div>

                                            <div>On Oct 29, 2015 6:09

                                              AM, &quot;vijay amruth&quot; &lt;<a href="mailto:vijayamruth@gmail.com" target="_blank"></a><a href="mailto:vijayamruth@gmail.com" target="_blank">vijayamruth@gmail.com</a>&gt;

                                              wrote:<br type="attribution">

                                            </div>

                                          </div>

                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

                                            <div>

                                              <div>

                                                <div dir="ltr"><span style="font-size:12.8px">Hello

                                                    All,</span>

                                                  <div style="font-size:12.8px"><br>

                                                  </div>

                                                  <div style="font-size:12.8px">We

                                                    are drawing logs

                                                    from several hosts

                                                    which include

                                                    solaris(10,11) ,

                                                    linux (centos,

                                                    ubuntu, rhel) into

                                                    syslog servers, I

                                                    want to be able to

                                                    separate solaris

                                                    logs, is there any

                                                    pattern we can match

                                                    for solaris logs

                                                    that you may know ?

                                                    <div><br>

                                                    </div>

                                                    <div>

                                                      <div dir="ltr">Thanks,

                                                        <div>Vijay

                                                          Amrut.</div>

                                                      </div>

                                                    </div>

                                                  </div>

                                                </div>

                                                <br>

                                              </div>

                                            </div>

______________________________________________________________________________<br>

                                            Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank"></a><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                                            Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank"></a><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                                            FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank"></a><a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                                            <br>

                                            <br>

                                          </blockquote>

                                        </div>

                                        <br>

______________________________________________________________________________<br>

                                        Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank"></a><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                                        Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank"></a><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                                        FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                                        <br>

                                        <br>

                                      </blockquote>

                                    </div>

                                    <br>

                                    <br clear="all">

                                    <div><br>

                                    </div>

                                    -- <br>

                                    <div>

                                      <div dir="ltr">

                                        <div>Thanks,

                                          <div>Vijay Amrut.</div>

                                        </div>

                                      </div>

                                    </div>

                                  </div>

                                  <br>

                                  <fieldset></fieldset>

                                </blockquote>

                                <br>

                              </div>

                            </div>

                          </div>

                          <br>

______________________________________________________________________________<br>

                          Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                          Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                          FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                          <br>

                          <br>

                        </blockquote>

                      </div>

                      <br>

                      <br clear="all">

                      <div><br>

                      </div>

                      -- <br>

                      <div>

                        <div dir="ltr">

                          <div>Thanks,

                            <div>Vijay Amrut.</div>

                          </div>

                        </div>

                      </div>

                    </div>

                    <br>

                    <fieldset></fieldset>

                    <br>

                    <pre>______________________________________________________________________________

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>

                  </blockquote>

                  <br>

                  <br>

                </div>

              </div>

              <span><font color="#888888">

                  <pre cols="500">-- 

Evan Rempel                                      <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>

Senior Systems Administrator                        <a href="tel:250.721.7691" value="+12507217691" target="_blank">250.721.7691</a>

Data Centre Services, University Systems, University of Victoria 

</pre>

                </font></span></div>

            <br>

______________________________________________________________________________<br>

            Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

            Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

            FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

            <br>

            <br>

          </blockquote>

        </div>

        <br>

        <br clear="all">

        <div><br>

        </div>

        -- <br>

        <div>

          <div dir="ltr">

            <div>Thanks,

              <div>Vijay Amrut.</div>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </div></div><pre>This body part will be downloaded on demand.</pre>

    </blockquote>

    <br>

  </div>

<br>______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Thanks,<div>Vijay Amrut.</div></div></div></div>

</div>