<div dir="auto">The host filter matches the value in the log message itself.<div dir="auto"><br></div><div dir="auto">If you want a network match you would need to use the netmask() filter that really matches the sender IP with a CIDR.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Feb 24, 2017 8:47 PM, "Tim Tyler" <<a href="mailto:tyler@beloit.edu">tyler@beloit.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_289981853604476109WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks everyone. I got it to work leveraging the hostname from the column in the log file and setting keep_hostname(yes). I had originally wanted to use the ip address, but for some reason, I could never get a match for it. The ip address would have to be matched within the packet and not the log itself. But every permutation I tried failed to get an ip match. But it really doesn’t matter to me because the hostname (which is not DNS’d) works fine.</span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> Little tricky to me, but thank you all for your help. </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tim</span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@<wbr>lists.balabit.hu</a>] <b>On Behalf Of </b>Czanik, Péter<br><b>Sent:</b> Friday, February 24, 2017 11:26 AM<br><b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br><b>Subject:</b> Re: [syslog-ng] Can't get basic syslog to work for my firewall logs?</span></p><p class="MsoNormal"> </p><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Hi,</p></div><p class="MsoNormal" style="margin-bottom:12.0pt">The name of the firewall seems to be "<span style="color:#1f497d"><a href="http://PA-3020.its.beloit.edu" target="_blank">PA-3020.its.beloit.edu</a>" in your log: <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.9-guides/en/syslog-ng-ose-v3.9-guide-admin/html-single/index.html#filter-host" target="_blank">https://www.balabit.com/sites/<wbr>default/files/documents/<wbr>syslog-ng-ose-3.9-guides/en/<wbr>syslog-ng-ose-v3.9-guide-<wbr>admin/html-single/index.html#<wbr>filter-host</a> If you want an IP address, use keep-hostame(no) and use-dns(no) options.</span></p></div><p class="MsoNormal"><span style="color:#1f497d">Bye,</span></p></div><div><p class="MsoNormal"><br clear="all"></p><div><div><div><div><p class="MsoNormal">Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/<wbr>author/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></p></div></div></div></div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Fri, Feb 24, 2017 at 6:03 PM, Tim Tyler <<a href="mailto:tyler@beloit.edu" target="_blank">tyler@beloit.edu</a>> wrote:</p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal"><span style="color:#1f497d">Damien,</span></p><p class="MsoNormal"><span style="color:#1f497d">Ok, I fired it up in the foreground and I got the following results below. I am noticing filter rule “not match” for f_NAMEOFTHEFIREWALL. I guess I am misunderstanding this line. I had set this to the ip address of the firewall. I believe that variable is using a host ip assignment. But I am guessing In might need to change NAMEOOFTHEFIREWALL. Do I need to change NAMEOFTHEFIREWALL to the actual fqdn name? </span></p><p class="MsoNormal"><span style="color:#1f497d"> -tim</span></p><p class="MsoNormal"><span style="color:#1f497d"> </span></p><p class="MsoNormal"><span style="color:#1f497d"> </span></p><p class="MsoNormal"><span style="color:#1f497d">syslog-ng starting up; version='3.5.6'</span></p><p class="MsoNormal"><span style="color:#1f497d">Incoming log entry; line='<14>Feb 24 10:36:41 <a href="http://PA-3020.its.beloit.edu" target="_blank">PA-3020.its.beloit.edu</a> 1,2017/02/24 10:36:41,001801001111,CONFIG,<wbr>0,0,2017/02/24 10:36:41,144.89.x.x,,edit,<wbr>admin,Web,Succeeded, vsys vsys1 rulebase security rules <a href="http://admissions.beloit.edu" target="_blank">admissions.beloit.edu</a>,867,0x0'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.<wbr>d/firewalls.conf:22:29'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter node evaluation result; result='not-match'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter rule evaluation result; result='not-match', rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.<wbr>d/firewalls.conf:22:29'</span></p><p class="MsoNormal"><span style="color:#1f497d">Incoming log entry; line='<14>Feb 24 10:36:54 <a href="http://PA-3020.its.beloit.edu" target="_blank">PA-3020.its.beloit.edu</a> 1,2017/02/24 10:36:54,001801001111,CONFIG,<wbr>0,0,2017/02/24 10:36:54,144.89.41.210,,<wbr>commit,admin,Web,Submitted,,<wbr>868,0x0'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.<wbr>d/firewalls.conf:22:29'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter node evaluation result; result='not-match'</span></p><p class="MsoNormal"><span style="color:#1f497d">Filter rule evaluation result; result='not-match', rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.<wbr>d/firewalls.conf:22:29'</span></p><p class="MsoNormal"><span style="color:#1f497d"> </span></p><p class="MsoNormal"><span style="color:#1f497d">Tim</span></p><p class="MsoNormal"><span style="color:#1f497d"> </span></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> syslog-ng [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@<wbr>lists.balabit.hu</a>] <b>On Behalf Of </b>Damian Bell<br><b>Sent:</b> Friday, February 24, 2017 9:36 AM<br><b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br><b>Subject:</b> Re: [syslog-ng] Can't get basic syslog to work for my firewall logs?</p></div></div><p class="MsoNormal"> </p><p class="MsoNormal"><span lang="EN-GB"> </span></p><p class="MsoNormal"><span lang="EN-GB" style="color:#1f497d">Have you disabled any other syslog servers that might be listening on UDP 514? Rsyslog, etc? (ps aux | grep syslog) Try (temporarily) disabling SELINUX and keep firewall turned off. See if you can start syslog-ng in the foreground and see what you get (syslog-ng –Fed)</span></p><p class="MsoNormal"><span lang="EN-GB" style="color:#1f497d"> </span></p><p class="MsoNormal"><span lang="EN-GB" style="color:#1f497d"> </span></p><p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB"> </span></p><table class="m_289981853604476109MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse"><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;color:#595959">Damian</span></b> <b><span style="font-size:10.0pt;color:#595959">Bell</span></b><br><span style="font-size:10.0pt;color:#595959">Infrastructure Engineer | Support | H Clarkson & Co Ltd</span></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><br><span style="font-size:10.0pt;color:#404040">Email: </span><span style="font-size:10.0pt;color:#0070c0"><a href="mailto:Damian.Bell@clarksons.com" title="Click to send email to Damian Bell" target="_blank"><span style="color:#0070c0">Damian.Bell@clarksons.com</span></a></span></p></td></tr></table><p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB"> </span></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> syslog-ng [<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">mailto:syslog-ng-bounces@<wbr>lists.balabit.hu</a>] <b>On Behalf Of </b>Tim Tyler<br><b>Sent:</b> 24 February 2017 15:07<br><b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br><b>Subject:</b> [syslog-ng] Can't get basic syslog to work for my firewall logs?</p></div></div><p class="MsoNormal"><span lang="EN-GB"> </span></p><p class="MsoNormal">Syslog-ng experts.</p><p class="MsoNormal"> I am very new to syslog-ng. I installed syslog-ng on a fresh Redhat 7.3 server. It defaults working with internal logging. So I configured my firewall to send syslog with facility set to log_user. I turned on Wireshark on the syslog-ng server and observed the firewall sending traffic to the server on udp 514. </p><p class="MsoNormal"> </p><p class="MsoNormal">But the syslog server never created the directory structure and logs. I disabled the redhat firewall just to eliminate it as a possibility. Still no logging. So I don’t know what I am doing wrong at this point. I don’t know if this is a permission problem or some other configuration issue. I found someone that had posted a very basic syslog-ng configuration for firewalls. So I copied It into a firewall.conf I put in conf.d. Can anyone see what might be wrong with it?</p><p class="MsoNormal"> </p><p class="MsoNormal">####################</p><p class="MsoNormal">options {</p><p class="MsoNormal"> create_dirs(yes);</p><p class="MsoNormal"> owner(root);</p><p class="MsoNormal"> group(root);</p><p class="MsoNormal"> perm(0640);</p><p class="MsoNormal"> dir_owner(root);</p><p class="MsoNormal"> dir_group(root);</p><p class="MsoNormal"> dir_perm(0750);</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">##############################<wbr>####################</p><p class="MsoNormal">source s_udp {</p><p class="MsoNormal"> udp(port(514));</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal">#Template for a new firewall in the firewalls.conf file</p><p class="MsoNormal">#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL</p><p class="MsoNormal"> </p><p class="MsoNormal">##############################<wbr>####################</p><p class="MsoNormal">filter f_NAMEOFTHEFIREWALL {</p><p class="MsoNormal"> host("192.168.30.1");</p><p class="MsoNormal">};</p><p class="MsoNormal">destination d_NAMEOFTHEFIREWALL {</p><p class="MsoNormal"> file("/var/log/firewalls/PA/$<wbr>YEAR/$MONTH/$YEAR-$MONTH-$DAY.<wbr>PA.log");</p><p class="MsoNormal">};</p><p class="MsoNormal">log {</p><p class="MsoNormal"> source(s_udp);</p><p class="MsoNormal"> filter(f_NAMEOFTHEFIREWALL);</p><p class="MsoNormal"> destination(d_<wbr>NAMEOFTHEFIREWALL);</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">Tim Tyler</p><p class="MsoNormal">Network Engineer</p><p class="MsoNormal">Beloit College</p><p class="MsoNormal"> </p><div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-GB" style="font-size:7.5pt"><hr size="2" width="100%" align="center"></span></div><p class="MsoNormal"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Microsoft Sans Serif",sans-serif">This message is private and confidential. If you have received it in error, you are on notice of its status. Please notify us immediately by reply email and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence.<br><br>Emails may be monitored.<br><br>Details of Clarkson group companies and their regulators (where applicable) can be found at this url: </span><span lang="EN-GB"><a href="http://www.clarksons.com/disclosure/" title="Disclosure" target="_blank"><span style="font-size:7.5pt;font-family:"Microsoft Sans Serif",sans-serif">Disclosure</span></a> </span></p><div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-GB"><hr size="2" width="100%" align="center"></span></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>______________________________<wbr>______________________________<wbr>__________________<br>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br><br></p></blockquote></div><p class="MsoNormal"> </p></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div></div>