@Evan, Right now we are just adding the hosts manually to the syslog file if there is way by which I don't need to add the hosts manually to the file.

~Vijay

On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <erempel@uvic.ca> wrote:
Before I get too deep into how this is done, can I ask why you want to
separate your logs for solaris and linux?



On 10/29/2015 01:06 PM, vijay amruth wrote:
Thank you Evan.

Right now, we add a solaris server everytime we spin one,

its like this,

filter f_solaris {
        host('x.x.x.x') or host('x.x.x.2') or
        host('x.x.x.3') or host('x.x.x.4') or
        host('hostname1) or (hostname2)
        }

So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip.
I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime.
There is a similar config for linux hosts too

Hope I am clear. Appreciate you taking your time out for this.

~Vj



On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <erempel@uvic.ca> wrote:
The syslog server has to listen on the ipaddress:port combination.
The solaris hosts need to syslog to the new ipaddress:port combination.

Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.

---- option #1
Using a completely different source. - you must fill in the IP addresses and port numbers

source s_regular_syslog {
        tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
        };

source s_solaris_syslog {
        tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
        };


log { source(s_regular_syslog); destination(d_regular_destination); };
log { source(s_solaris_syslog); destination(d_solaris_syslog); };


---- option #2
Using a tagged source. - you must fill in the IP addresses and port numbers

source s_all_syslog {
        tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
        tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
        };

filter f_solaris { tags("solaris_syslog"); };

log {
    source(s_all_syslog)
    log { filter(f_solaris); destination(d_solaris_syslog); flags(final); };
    log { destination(d_regular_destination); };
};



I hope that gives you the basics of what is needed.


On 10/29/2015 12:41 PM, vijay amruth wrote:
Thank you Evan, great idea!
Can we achieve this with regex on syslog-ng.conf file on the server side?

Thank you,
~Vj

On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel@uvic.ca> wrote:
You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address.
You could also use a different port.
Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02


On 10/29/2015 12:22 PM, vijay amruth wrote:
Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris {
        host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all,
~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:

Well, probably the only sensible way is to filter based on IP addresses.

On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:
Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks,
Vijay Amrut.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Thanks,
Vijay Amrut.



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Thanks,
Vijay Amrut.


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




-- 
Evan Rempel                                      erempel@uvic.ca
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Thanks,
Vijay Amrut.


This body part will be downloaded on demand.


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Thanks,
Vijay Amrut.