Re: [syslog-ng] how rewrite the HOST macro?

12 Aug 2007

      Excuse me if you've already thought of this but, I assume your servers have
multiple NICs on separate networks. Why would the same server forward its
syslog messages to your central log server using different NICs? Wouldn't
normal routing force it to connect using one NIC all the time?

i.e. is this really a problem? Have you seen the same server use different
NICs to talk to your log server?

If you really are seeing this (and can't fix it at the source) I suppose you
could use a filter to look at the messages and define different destinations
for each server, using a regexp on the host to determine which to put where.

#  filter          Call another filter rule and 
#                  evaluate its value
#  host            host(regexp)                    Match messages by 
#                                                  using a regular 
#                                                  expression against 
#                                                  the hostname field 
#                                                  of log messages.

So if you had server names as you describe (e.g. server0xx, server1xx ...
servernxx)
you could define destinations and filters for each server like this (pardon
if the syntax is a bit off, I haven't tested this)

filter f_server0 { host (server0); };

filter f_server1 { host (server1); };

filter f_servern { host (servern); };

destination d_server0          {
file("/var/log/HOSTS/server0/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };

destination d_server1          {
file("/var/log/HOSTS/server1/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };

destination d_servern          {
file("/var/log/HOSTS/servern/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };

log { source(s_remote);
      filter (f_server0);
      destination (d_server0);
    };

log { source(s_remote);
      filter (f_server1);
      destination (d_server1);
    };

log { source(s_remote);
      filter (f_servern);
      destination (d_servern);
    };

Hope this helps.

Jim Hendrick
jrhendri@maine.rr.com
GCFW, GCIA, GCIH, GCWN, GCUX
...
-----Original Message-----
From: syslog-ng-bounces@lists.balabit.hu 
[mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of mobidyc
Sent: Sunday, August 12, 2007 7:48 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] how rewrite the HOST macro?
K K wrote:
...
Why not just make sure that all of the servers have good
reverse DNS
...
entries for the IP from which they would source syslog packets, and 
let  "keep_hostname(no); use_dns(yes);" populate $HOST with the DNS 
lookup results?
because it's impossible to change the way the reverse
dns are done.
the names server0e0 and server0e1 are here because
there is multpile networks for the same machine, i can't
ask the network team for change the way they use for
a software i want to use.
i think i need to find another way for dispatch the messages
in the good destinations, maybe dynamically create
symlinks before the message pass through the log statment
but i must be careful with the cpu consumption in this case.
Regards
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu 
https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
Frequently asked questions at 
http://www.campin.net/syslog-ng/faq.html