<div dir="ltr">Thank you Evan, I just recommended that option.<div>I'll keep you posted.</div><div><br></div><div>~Vj</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 2, 2015 at 2:36 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>If all of the solaris hosts log to a
different port or IP address, then there is no need to place hosts
into the syslog configuration file.<br>
Every log message sent to the special IP/port is assumed to be
from a solaris host. Then you just store them into a destination
of your choosing.<br>
<br>
Evan.<div><div class="h5"><br>
<br>
On 11/02/2015 02:18 PM, vijay amruth wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">@Evan, Right now we are just adding the hosts
manually to the syslog file if there is way by which I don't
need to add the hosts manually to the file.
<div><br>
</div>
<div>~Vijay</div>
</div>
</div></div><div class="gmail_extra"><div><div class="h5"><br>
<div class="gmail_quote">On Thu, Oct 29, 2015 at 5:54 PM, Evan
Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Before I get too deep into how this is done, can I
ask why you want to<br>
separate your logs for solaris and linux?
<div>
<div><br>
<br>
<br>
On 10/29/2015 01:06 PM, vijay amruth wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Thank you Evan.
<div><br>
</div>
<div>Right now, we add a solaris server everytime
we spin one,</div>
<div><br>
</div>
<div>its like this,</div>
<div><br>
</div>
<div>
<div>filter f_solaris {</div>
<div> host('x.x.x.x') or host('x.x.x.2')
or</div>
<div> host('x.x.x.3') or host('x.x.x.4')
or</div>
</div>
<div> host('hostname1) or (hostname2)</div>
<div> }</div>
<div><br>
</div>
<div>So everytime we spin a server we just go and
add it manually to the config file, either with
its host name or the ip.</div>
<div>I want to be able to automate with filter
functions and or regex so that I don't have to
add manually to the config file on the server
everytime.</div>
<div>There is a similar config for linux hosts too<br>
</div>
<div><br>
</div>
<div>Hope I am clear. Appreciate you taking your
time out for this.</div>
<div><br>
</div>
<div>~Vj</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 29, 2015 at
12:51 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank"></a><a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The syslog server has to listen on the
ipaddress:port combination.<br>
The solaris hosts need to syslog to the
new ipaddress:port combination.<br>
<br>
Since I don't know how you are processing
your log lines in your syslog-ng
configuration it is difficult to provide a
lot of guidance, but here are a couple of
examples.<br>
<br>
---- option #1<br>
Using a completely different source. - you
must fill in the IP addresses and port
numbers<br>
<br>
source s_regular_syslog {<br>
tcp(localip(regularIP)
port(regularPort) max_connections(5000)
log_fetch_limit(20000)
log_iw_size(1000000)
tags("regular_syslog") );<br>
};<br>
<br>
source s_solaris_syslog {<br>
tcp(localip(solarisIP)
port(solarisPort) max_connections(5000)
log_fetch_limit(20000)
log_iw_size(1000000)
tags("solaris_syslog") );<br>
};<br>
<br>
<br>
log { source(s_regular_syslog);
destination(d_regular_destination); };<br>
log { source(s_solaris_syslog);
destination(d_solaris_syslog); };<br>
<br>
<br>
---- option #2<br>
Using a tagged source. - you must fill in
the IP addresses and port numbers<br>
<br>
source s_all_syslog {<br>
tcp(localip(regularIP)
port(regularPort) max_connections(5000)
log_fetch_limit(20000)
log_iw_size(1000000)
tags("regular_syslog") );<br>
tcp(localip(solarisIP)
port(solarisPort) max_connections(5000)
log_fetch_limit(20000)
log_iw_size(1000000)
tags("solaris_syslog") );<br>
};<br>
<br>
filter f_solaris { tags("solaris_syslog");
};<br>
<br>
log {<br>
source(s_all_syslog)<br>
log { filter(f_solaris);
destination(d_solaris_syslog);
flags(final); };<br>
log {
destination(d_regular_destination); };<br>
};<br>
<br>
<br>
<br>
I hope that gives you the basics of what
is needed.
<div>
<div><br>
<br>
On 10/29/2015 12:41 PM, vijay amruth
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Thank you Evan, great
idea!
<div>Can we achieve this with regex
on syslog-ng.conf file on the
server side?</div>
<div><br>
</div>
<div>Thank you,</div>
<div>~Vj</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct
29, 2015 at 12:25 PM, Evan Rempel
<span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank"></a><a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>You could use a second
interface on the syslog
servers and configure the
solaris servers to use this
alternate IP address.<br>
You could also use a
different port.<br>
Then you could tag the
source with "solaris" and
then use the tag filtering
to separate those message
out of the mix.<br>
<br>
Just my $0.02
<div>
<div><br>
<br>
On 10/29/2015 12:22 PM,
vijay amruth wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Thank you
fo rthe reply Balazs.
<div><br>
</div>
<div>Can we use filter
functions like this
below ?</div>
<div><br>
</div>
<div>
<div>filter
f_solaris {</div>
<div>
host('uname ==
solaris') }</div>
</div>
<div><br>
</div>
<div>My idea is to
identify solaris
servers.</div>
<div><br>
</div>
<div>Thanks all,</div>
<div>~Vj</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Oct 29, 2015 at
12:59 AM, Balazs
Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank"></a><a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Well,
probably the
only sensible
way is to filter
based on IP
addresses.<br>
</p>
<div class="gmail_quote">
<div>
<div>On Oct
29, 2015 6:09
AM, "vijay
amruth" <<a href="mailto:vijayamruth@gmail.com" target="_blank"></a><a href="mailto:vijayamruth@gmail.com" target="_blank">vijayamruth@gmail.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr"><span style="font-size:12.8px">Hello All,</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">We
are drawing
logs from
several hosts
which include
solaris(10,11)
, linux
(centos,
ubuntu, rhel)
into syslog
servers, I
want to be
able to
separate
solaris logs,
is there any
pattern we can
match for
solaris logs
that you may
know ?
<div><br>
</div>
<div>
<div dir="ltr">Thanks,
<div>Vijay
Amrut.</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank"></a><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation:
<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank"></a><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank"></a><a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank"></a><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank"></a><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank"></a><a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>Thanks,
<div>Vijay
Amrut.</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
</blockquote>
<br>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank"></a><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank"></a><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>Thanks,
<div>Vijay Amrut.</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888"></font></span>
<span><font color="#888888"> </font></span></div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>Thanks,
<div>Vijay Amrut.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
<div>
<div dir="ltr">
<div>Thanks,
<div>Vijay Amrut.</div>
</div>
</div>
</div>
</font></span></div><span class="HOEnZb"><font color="#888888">
<br>
<fieldset></fieldset>
</font></span></blockquote>
<br>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Thanks,<div>Vijay Amrut.</div></div></div></div>
</div>