<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">If all of the solaris hosts log to a
      different port or IP address, then there is no need to place hosts
      into the syslog configuration file.<br>
      Every log message sent to the special IP/port is assumed to be
      from a solaris host. Then you just store them into a destination
      of your choosing.<br>
      <br>
      Evan.<br>
      <br>
      On 11/02/2015 02:18 PM, vijay amruth wrote:<br>
    </div>
    <blockquote
cite="mid:CA+aSzCjezLf-tzdZ7jAqiQo0Bshao8puX9v7gNtMi=1RUBH1ng@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div dir="ltr">@Evan, Right now we are just adding the hosts
        manually to the syslog file if there is way by which I don't
        need to add the hosts manually to the file.
        <div><br>
        </div>
        <div>~Vijay</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Oct 29, 2015 at 5:54 PM, Evan
          Rempel <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Before I get too deep into how this is done, can I
                ask why you want to<br>
                separate your logs for solaris and linux?
                <div>
                  <div class="h5"><br>
                    <br>
                    <br>
                    On 10/29/2015 01:06 PM, vijay amruth wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div dir="ltr">Thank you Evan.
                      <div><br>
                      </div>
                      <div>Right now, we add a solaris server everytime
                        we spin one,</div>
                      <div><br>
                      </div>
                      <div>its like this,</div>
                      <div><br>
                      </div>
                      <div>
                        <div>filter f_solaris {</div>
                        <div>        host('x.x.x.x') or host('x.x.x.2')
                          or</div>
                        <div>        host('x.x.x.3') or host('x.x.x.4')
                          or</div>
                      </div>
                      <div>        host('hostname1) or (hostname2)</div>
                      <div>        }</div>
                      <div><br>
                      </div>
                      <div>So everytime we spin a server we just go and
                        add it manually to the config file, either with
                        its host name or the ip.</div>
                      <div>I want to be able to automate with filter
                        functions and or regex so that I don't have to
                        add manually to the config file on the server
                        everytime.</div>
                      <div>There is a similar config for linux hosts too<br>
                      </div>
                      <div><br>
                      </div>
                      <div>Hope I am clear. Appreciate you taking your
                        time out for this.</div>
                      <div><br>
                      </div>
                      <div>~Vj</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Oct 29, 2015 at
                        12:51 PM, Evan Rempel <span dir="ltr">&lt;<a
                            moz-do-not-send="true"
                            href="mailto:erempel@uvic.ca"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a></a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div>The syslog server has to listen on the
                              ipaddress:port combination.<br>
                              The solaris hosts need to syslog to the
                              new ipaddress:port combination.<br>
                              <br>
                              Since I don't know how you are processing
                              your log lines in your syslog-ng
                              configuration it is difficult to provide a
                              lot of guidance, but here are a couple of
                              examples.<br>
                              <br>
                              ---- option #1<br>
                              Using a completely different source. - you
                              must fill in the IP addresses and port
                              numbers<br>
                              <br>
                              source s_regular_syslog {<br>
                                      tcp(localip(regularIP)
                              port(regularPort) max_connections(5000)
                              log_fetch_limit(20000)
                              log_iw_size(1000000)
                              tags("regular_syslog") );<br>
                                      };<br>
                              <br>
                              source s_solaris_syslog {<br>
                                      tcp(localip(solarisIP)
                              port(solarisPort) max_connections(5000)
                              log_fetch_limit(20000)
                              log_iw_size(1000000)
                              tags("solaris_syslog") );<br>
                                      };<br>
                              <br>
                              <br>
                              log { source(s_regular_syslog);
                              destination(d_regular_destination); };<br>
                              log { source(s_solaris_syslog);
                              destination(d_solaris_syslog); };<br>
                              <br>
                              <br>
                              ---- option #2<br>
                              Using a tagged source. - you must fill in
                              the IP addresses and port numbers<br>
                              <br>
                              source s_all_syslog {<br>
                                      tcp(localip(regularIP)
                              port(regularPort) max_connections(5000)
                              log_fetch_limit(20000)
                              log_iw_size(1000000)
                              tags("regular_syslog") );<br>
                                      tcp(localip(solarisIP)
                              port(solarisPort) max_connections(5000)
                              log_fetch_limit(20000)
                              log_iw_size(1000000)
                              tags("solaris_syslog") );<br>
                                      };<br>
                              <br>
                              filter f_solaris { tags("solaris_syslog");
                              };<br>
                              <br>
                              log {<br>
                                  source(s_all_syslog)<br>
                                  log { filter(f_solaris);
                              destination(d_solaris_syslog);
                              flags(final); };<br>
                                  log {
                              destination(d_regular_destination); };<br>
                              };<br>
                              <br>
                              <br>
                              <br>
                              I hope that gives you the basics of what
                              is needed.
                              <div>
                                <div><br>
                                  <br>
                                  On 10/29/2015 12:41 PM, vijay amruth
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div>
                                <blockquote type="cite">
                                  <div dir="ltr">Thank you Evan, great
                                    idea!
                                    <div>Can we achieve this with regex
                                      on syslog-ng.conf file on the
                                      server side?</div>
                                    <div><br>
                                    </div>
                                    <div>Thank you,</div>
                                    <div>~Vj</div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Thu, Oct
                                      29, 2015 at 12:25 PM, Evan Rempel
                                      <span dir="ltr">&lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:erempel@uvic.ca"
                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a></a>&gt;</span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div bgcolor="#FFFFFF"
                                          text="#000000">
                                          <div>You could use a second
                                            interface on the syslog
                                            servers and configure the
                                            solaris servers to use this
                                            alternate IP address.<br>
                                            You could also use a
                                            different port.<br>
                                            Then you could tag the
                                            source with "solaris" and
                                            then use the tag filtering
                                            to separate those message
                                            out of the mix.<br>
                                            <br>
                                            Just my $0.02
                                            <div>
                                              <div><br>
                                                <br>
                                                On 10/29/2015 12:22 PM,
                                                vijay amruth wrote:<br>
                                              </div>
                                            </div>
                                          </div>
                                          <div>
                                            <div>
                                              <blockquote type="cite">
                                                <div dir="ltr">Thank you
                                                  fo rthe reply Balazs.
                                                  <div><br>
                                                  </div>
                                                  <div>Can we use filter
                                                    functions like this
                                                    below ?</div>
                                                  <div><br>
                                                  </div>
                                                  <div>
                                                    <div>filter
                                                      f_solaris {</div>
                                                    <div>       
                                                      host('uname ==
                                                      solaris') }</div>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div>My idea is to
                                                    identify solaris
                                                    servers.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Thanks all,</div>
                                                  <div>~Vj</div>
                                                </div>
                                                <div class="gmail_extra"><br>
                                                  <div
                                                    class="gmail_quote">On
                                                    Thu, Oct 29, 2015 at
                                                    12:59 AM, Balazs
                                                    Scheidler <span
                                                      dir="ltr">&lt;<a
                                                        moz-do-not-send="true"
href="mailto:bazsi77@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bazsi77@gmail.com">bazsi77@gmail.com</a></a>&gt;</span>
                                                    wrote:<br>
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">
                                                      <p dir="ltr">Well,
                                                        probably the
                                                        only sensible
                                                        way is to filter
                                                        based on IP
                                                        addresses.<br>
                                                      </p>
                                                      <div
                                                        class="gmail_quote">
                                                        <div>
                                                          <div>On Oct
                                                          29, 2015 6:09
                                                          AM, "vijay
                                                          amruth" &lt;<a
moz-do-not-send="true" href="mailto:vijayamruth@gmail.com"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:vijayamruth@gmail.com">vijayamruth@gmail.com</a></a>&gt;



                                                          wrote:<br
                                                          type="attribution">
                                                          </div>
                                                        </div>
                                                        <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr"><span
style="font-size:12.8px">Hello All,</span>
                                                          <div
                                                          style="font-size:12.8px"><br>
                                                          </div>
                                                          <div
                                                          style="font-size:12.8px">We

                                                          are drawing
                                                          logs from
                                                          several hosts
                                                          which include
                                                          solaris(10,11)
                                                          , linux
                                                          (centos,
                                                          ubuntu, rhel)
                                                          into syslog
                                                          servers, I
                                                          want to be
                                                          able to
                                                          separate
                                                          solaris logs,
                                                          is there any
                                                          pattern we can
                                                          match for
                                                          solaris logs
                                                          that you may
                                                          know ?
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div dir="ltr">Thanks,


                                                          <div>Vijay
                                                          Amrut.</div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
______________________________________________________________________________<br>
                                                          Member info: <a
moz-do-not-send="true"
                                                          href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></a><br>
                                                          Documentation:
                                                          <a
                                                          moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                                                          target="_blank"><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></a><br>
                                                          FAQ: <a
                                                          moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank"><a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a></a><br>
                                                          <br>
                                                          <br>
                                                        </blockquote>
                                                      </div>
                                                      <br>
______________________________________________________________________________<br>
                                                      Member info: <a
                                                        moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                                                        target="_blank"><a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></a><br>
                                                      Documentation: <a
moz-do-not-send="true"
                                                        href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                                                        target="_blank"><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></a><br>
                                                      FAQ: <a
                                                        moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer"
                                                        target="_blank"><a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a></a><br>
                                                      <br>
                                                      <br>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                  <br clear="all">
                                                  <div><br>
                                                  </div>
                                                  -- <br>
                                                  <div>
                                                    <div dir="ltr">
                                                      <div>Thanks,
                                                        <div>Vijay
                                                          Amrut.</div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                                <br>
                                                <fieldset></fieldset>
                                              </blockquote>
                                              <br>
                                            </div>
                                          </div>
                                        </div>
                                        <br>
______________________________________________________________________________<br>
                                        Member info: <a
                                          moz-do-not-send="true"
                                          href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                                          rel="noreferrer"
                                          target="_blank"><a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></a><br>
                                        Documentation: <a
                                          moz-do-not-send="true"
                                          href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                                          rel="noreferrer"
                                          target="_blank"><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></a><br>
                                        FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer"
                                          target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                                        <br>
                                        <br>
                                      </blockquote>
                                    </div>
                                    <br>
                                    <br clear="all">
                                    <div><br>
                                    </div>
                                    -- <br>
                                    <div>
                                      <div dir="ltr">
                                        <div>Thanks,
                                          <div>Vijay Amrut.</div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                  <pre>______________________________________________________________________________
Member info: <a moz-do-not-send="true" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true" href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
                                </blockquote>
                                <br>
                                <br>
                              </div>
                            </div>
                            <span><font color="#888888"></font></span>
                            <span><font color="#888888"> </font></span></div>
                          <br>
______________________________________________________________________________<br>
                          Member info: <a moz-do-not-send="true"
                            href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                            rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
                          Documentation: <a moz-do-not-send="true"
                            href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                            rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
                          FAQ: <a moz-do-not-send="true"
                            href="http://www.balabit.com/wiki/syslog-ng-faq"
                            rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                          <br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">
                          <div>Thanks,
                            <div>Vijay Amrut.<br>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </blockquote>
            </div>
          </blockquote>
        </div>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">
            <div>Thanks,
              <div>Vijay Amrut.</div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
    </blockquote>
    <br>
  </body>
</html>