<div dir="ltr"><div><div><div><div><div><div>Hello Christian,<br><br></div>I just noticed that you seem to be using two network sources configured to use the same IP and port settings.<br></div>You should move the <span>src_MYAPP source to a different port, because the two are conflicting.<br></span></div><span>Furthermore, you could try removing the quotes from the </span><span>f_devenv_04net stanza. (Although I don't expect any significant changes in syslog-ng's behavior because of this.)<br><br></span></div><span>Which is the generic destination you were referring to earlier? Is it perhaps </span><span>d_MYAPP? (Or another one?)<br><br></span></div><span>Regards,<br></span></div><span>János<br></span><div><div><div><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-08-03 19:50 GMT+02:00 Christian Turner <span dir="ltr"><<a target="_blank" href="mailto:cturner@highroads.com">cturner@highroads.com</a>></span>:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<div lang="EN-US">
<div>
<p class="gmail-MsoNormal"><a name="m_-7324745279193649848__MailEndCompose">@version: 3.2<u></u><u></u></a></p>
<p class="gmail-MsoNormal"><span>#Default configuration file for syslog-ng.<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span># For a description of syslog-ng configuration file directives, please read<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span># the syslog-ng Administrator's guide at:<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span># <a target="_blank" href="https://www.balabit.com/support/documentation">https://www.balabit.com/support/documentation</a><u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>@include "scl.conf"<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>options {<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> flush_lines (0);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> time_reopen (10);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> log_fifo_size (2048);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> chain_hostnames (off);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> use_dns (no);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> use_fqdn (no);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> create_dirs (yes);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> keep_hostname (no);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> stats_freq(86400);<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>};<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>source s_sys {<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> file ("/proc/kmsg" program_override("kernel: "));<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> unix-stream ("/dev/log");<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span> internal();<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>};<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>### MYAPP Dev Logs ###<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>## DEVENV ##<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>source src_devenv { udp(ip(0.0.0.0) port(514)); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>filter f_devenv_01ui { netmask(<a target="_blank" href="http://10.22.206.0/24">10.22.206.0/24</a>); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>filter f_devenv_02gw { netmask(<a target="_blank" href="http://10.22.207.0/24">10.22.207.0/24</a>); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>filter f_devenv_03api { netmask(<a target="_blank" href="http://10.22.208.0/24">10.22.208.0/24</a>); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>filter f_devenv_04net { netmask( "<a target="_blank" href="http://10.22.209.0/24">10.22.209.0/24</a>" ); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>filter f_devenv_05bat { netmask(<a target="_blank" href="http://10.22.210.0/24">10.22.210.0/24</a>); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_devenv_01ui { file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_devenv_02gw { file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_devenv_03api { file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_devenv_04net { file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_devenv_05bat { file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>## MYAPP ALL ##<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>source src_MYAPP { udp(ip(0.0.0.0) port(514)); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_MYAPP { file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(src_MYAPP); destination(d_MYAPP); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>#source external { tcp(); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#source external { udp(); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_hosts { file("/home/syslog/$HOST/application.log" owner("syslog") group("syslog") perm(0600)); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>destination d_mesg { file("/var/log/messages"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_cons { file("/dev/console"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_auth { file("/var/log/secure"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_mail { file("/var/log/maillog" flush_lines(10)); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_spol { file("/var/log/spooler"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_boot { file("/var/log/boot.log"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_cron { file("/var/log/cron"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_kern { file("/var/log/kern"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_mlal { usertty("*"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#destination d_all { file("/var/log/splunk"); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span>log { source(s_sys); destination(d_mesg); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span>#log { source(external); destination(d_hosts); };<u></u><u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<p class="gmail-MsoNormal"><span><u></u> <u></u></span></p>
<span></span>
<div>
<div style="border-width:1pt medium medium;border-style:solid none none;border-color:rgb(225,225,225) -moz-use-text-color -moz-use-text-color;padding:3pt 0in 0in">
<p class="gmail-MsoNormal"><b>From:</b> Christian Turner <br>
<b>Sent:</b> Wednesday, August 3, 2016 11:53 AM<br>
<b>To:</b> '<a target="_blank" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>' <<a target="_blank" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> RE: sylog-ng filters not working<u></u><u></u></p>
</div>
</div><span class="gmail-">
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">Hi,<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">I have the following filter configured;<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">source src_devenv01 { udp(ip(0.0.0.0) port(514)); };<u></u><u></u></p>
<p class="gmail-MsoNormal">filter f_devenv01_04net { netmask(<a target="_blank" href="http://10.22.209.0/24">10.22.209.0/24</a>); };<u></u><u></u></p>
<p class="gmail-MsoNormal">destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };<u></u><u></u></p>
<p class="gmail-MsoNormal">log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">However, the filter does not work, and the logs from this source all go to the generic logging destination.<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal">[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("<b>10.22.209.10</b>")}, [16]) = 265<u></u><u></u></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
<p class="gmail-MsoNormal"><b><span style="color:black">Christian Turner</span></b><span style="color:black">
</span><span style="color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="gmail-MsoNormal"><u></u> <u></u></p>
</span></div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a target="_blank" rel="noreferrer" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a target="_blank" rel="noreferrer" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a target="_blank" rel="noreferrer" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Janos SZIGETVARI<br><span>RHCE, License no. <a target="_blank" href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692">150-053-692</a></span><br><br>E-mail: <a target="_blank" href="mailto:jszigetvari@gmail.com">jszigetvari@gmail.com</a><br>Phone: +36209440412 (Hungary)<br><br>__@__˚V˚<br>Make the switch to open (source) applications, protocols, formats now:<br>- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice<br>- msn -> jabber protocol (Pidgin, Google Talk)<br>- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div></div></div></div></div></div></div></div></div>