Hello Christian,

Syslog-ng would issue a warning had there been a syntax error. (You can check your config files for syntax errors with the -svf <configfile> parameters set.)

To me it seems that the filter you've set up for that specific IP range "f_devenv01_04net" is not the same that you seem to be using in your log stanza ("f_devenv_04net").

Best Regards,

János Szigetvári

Janos SZIGETVARI
RHCE, License no. 150-053-692

__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp

2016-08-03 17:52 GMT+02:00 Christian Turner <cturner@highroads.com>:

Hi,

I have the following filter configured;

source src_devenv01                    { udp(ip(0.0.0.0) port(514)); };

filter f_devenv01_04net              { netmask(10.22.209.0/24); };

destination d_devenv_04net      { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };

log                                                    { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };

However, the filter does not work, and the logs from this source all go to the generic logging destination.

I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;

[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("10.22.209.10")}, [16]) = 265

Christian Turner

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq