Hi, "Jakub Jankowski" <shasta@toxcorp.com> írta 2015-11-01 11:57-kor:
Well, how is this any better than specifying client's IP addresses/hostnames in syslog-ng.conf?
Which one do you think of? The more source port idea, or the ipset one?
Let me suggest another idea: if Vijay has control over client's hostname, you could devise a simple host naming scheme, where you encode some metadata in client's hostname, for example: you could name all Solaris client's with a hostname that starts with "s", and all Linux clients with a hostname that starts with "l", then it's dead easy to match that in syslog-ng configuration. Downside is that it is painful to
I do not like assumptions. But I think, if vijay's problem's root that there were bad planning about their network's stucture or there were no planning at all, then this idea will not help either. However, hostnames can be "override" with a local hosts file, which is only used by syslog-ng.
introduce. But you could use a mixed approach, where all the existing clients keep their hostnames (and you put them explicitly in the filter), and all the new ones get named with this naming scheme.
However, if we keep at this idea, that we want to distinct the hosts by their names / ip. I would still insist at the distinction by ip. With good organizing they could be grouped well, so a minimal amount of netmask() filter would fit well. Cheers, Gyu