<div dir="ltr"><div><div><div><div><div>I am not sure I understand your usecase, and question. $HOST is populated based on the host field within the message and senders are free to set that to whatever they please.<br><br></div>If that field is missing (which it might), syslog-ng fills that based on the sender IP address.<br><br></div>There are alternative macros (such as $SOURCEIP), which is the actual IP of the datagram received by syslog-ng. But you can also play with $HOST related syslog-ng options such as keep-hostname().<br><br></div>Could you try to rephrase your question?<br></div>Thanks<br></div>Bazsi<br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Wed, Jul 27, 2016 at 6:20 PM, Hollósi Botond <span dir="ltr"><<a href="mailto:bhollosi@opennet.hu" target="_blank">bhollosi@opennet.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p><br>
</p>
<p>We would like to monitor all hosts that are behind different
NATs. <br>
</p>
<p>The main goal every host's log (comes over the NAT) go to
separate log file. So every log file will contain only one host's
log messages.</p>
<p><br>
</p>
<p>The <b>idea</b> is to <b>separate</b> the log messages <b>based
on </b>IP <b>packet</b> parameters, '<b>date</b>' and <b>'source
Public IP address </b>(NAT address)' and '<b>destination UDP
port</b>'.<br>
</p>
<br>
<b>Problem</b>, it seems the hosts log messages <b>mixed</b> with
each other in the final log files.<br>
<br>
For example in this :<br>
/var/log/remote_log/07/27/<b>37.220.128.16</b>/100/local0.log<br>
and this<br>
/var/log/remote_log/07/27/<b>89.135.48.161</b>/100/local0.log<br>
also contains messages comes from the host 100 behind the IP <b>94.21.180.56
</b>(it is sure because some rows from log contains host identifier,
but not all rows contains it sadly)<br>
<br>
but only this should contain the message, because a the host behind
this public IP <b>94.21.180.56</b><br>
/var/log/remote_log/07/27/<b>94.21.180.56</b>/100/local0.log<br>
<br>
Does capable config below to handle this purpose, or i
miss-configure something?<br>
<br>
<br>
<br>
OS:<br>
Debian 8 latest<br>
3.2.0-4-amd64 #1 SMP Debian 3.2.81-1 x86_64 GNU/Linux<br>
<br>
Version:<br>
Syslog-ng install with apt-get install from
<a href="http://httpredir.debian.org/debian" target="_blank">http://httpredir.debian.org/debian</a> this repo. And version
syslog-ng-core 3.5.6-2+b1 <br>
<br>
The installed config untached, but i make an additional config file
in the<b> /etc/syslog-ng/conf.d/remote.con</b>f with this <b>content</b>.<br>
<br>
source s_net_0 { network( ip(0.0.0.0) port(600) transport(udp)); };<br>
source s_net_1 { network( ip(0.0.0.0) port(601) transport(udp)); };<br>
source s_net_2 { network( ip(0.0.0.0) port(602) transport(udp)); };<br>
source s_net_3 { network( ip(0.0.0.0) port(603) transport(udp)); };<br>
source s_net_4 { network( ip(0.0.0.0) port(604) transport(udp)); };<br>
source s_net_5 { network( ip(0.0.0.0) port(605) transport(udp)); };<br>
source s_net_6 { network( ip(0.0.0.0) port(606) transport(udp)); };<br>
source s_net_7 { network( ip(0.0.0.0) port(607) transport(udp)); };<br>
source s_net_8 { network( ip(0.0.0.0) port(608) transport(udp)); };<br>
source s_net_9 { network( ip(0.0.0.0) port(609) transport(udp)); };<br>
source s_net_10 { network( ip(0.0.0.0) port(610) transport(udp)); };<br>
source s_net_11 { network( ip(0.0.0.0) port(611) transport(udp)); };<br>
source s_net_12 { network( ip(0.0.0.0) port(612) transport(udp)); };<br>
source s_net_13 { network( ip(0.0.0.0) port(613) transport(udp)); };<br>
source s_net_14 { network( ip(0.0.0.0) port(614) transport(udp)); };<br>
source s_net_15 { network( ip(0.0.0.0) port(615) transport(udp)); };<br>
source s_net_16 { network( ip(0.0.0.0) port(616) transport(udp)); };<br>
source s_net_17 { network( ip(0.0.0.0) port(617) transport(udp)); };<br>
source s_net_18 { network( ip(0.0.0.0) port(618) transport(udp)); };<br>
source s_net_19 { network( ip(0.0.0.0) port(619) transport(udp)); };<br>
source s_net_20 { network( ip(0.0.0.0) port(620) transport(udp)); };<br>
source s_net_21 { network( ip(0.0.0.0) port(621) transport(udp)); };<br>
source s_net_22 { network( ip(0.0.0.0) port(622) transport(udp)); };<br>
source s_net_23 { network( ip(0.0.0.0) port(623) transport(udp)); };<br>
<br>
destination d_file_0 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/100/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_1 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/101/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_2 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/102/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_3 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/103/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_4 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/104/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_5 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/105/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_6 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/106/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_7 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/107/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_8 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/108/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_9 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/109/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_10 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/110/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_11 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/111/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_12 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/112/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_13 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/113/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_14 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/114/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_15 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/115/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_16 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/116/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_17 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/117/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_18 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/118/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_19 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/119/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_20 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/120/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_21 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/121/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_22 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/122/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
destination d_file_23 {
file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/123/$FACILITY.log"
owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700));
};<br>
<br>
log { source(s_net_0); destination(d_file_0); };<br>
log { source(s_net_1); destination(d_file_1); };<br>
log { source(s_net_2); destination(d_file_2); };<br>
log { source(s_net_3); destination(d_file_3); };<br>
log { source(s_net_4); destination(d_file_4); };<br>
log { source(s_net_5); destination(d_file_5); };<br>
log { source(s_net_6); destination(d_file_6); };<br>
log { source(s_net_7); destination(d_file_7); };<br>
log { source(s_net_8); destination(d_file_8); };<br>
log { source(s_net_9); destination(d_file_9); };<br>
log { source(s_net_10); destination(d_file_10); };<br>
log { source(s_net_11); destination(d_file_11); };<br>
log { source(s_net_12); destination(d_file_12); };<br>
log { source(s_net_13); destination(d_file_13); };<br>
log { source(s_net_14); destination(d_file_14); };<br>
log { source(s_net_15); destination(d_file_15); };<br>
log { source(s_net_16); destination(d_file_16); };<br>
log { source(s_net_17); destination(d_file_17); };<br>
log { source(s_net_18); destination(d_file_18); };<br>
log { source(s_net_19); destination(d_file_19); };<br>
log { source(s_net_20); destination(d_file_20); };<br>
log { source(s_net_21); destination(d_file_21); };<br>
log { source(s_net_22); destination(d_file_22); };<br>
log { source(s_net_23); destination(d_file_23); };<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
<pre cols="72">--
Üdvözlettel:
Hollósi Botond
Opennetworks Kft.
Tel.: <a href="tel:06-1-9996000" value="+3619996000" target="_blank">06-1-9996000</a>
Mobil: <a href="tel:06-20-4362032" value="+36204362032" target="_blank">06-20-4362032</a></pre>
</font></span></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>