The syslog server has to listen on the ipaddress:port combination. The solaris hosts need to syslog to the new ipaddress:port combination. Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples. ---- option #1 Using a completely different source. - you must fill in the IP addresses and port numbers source s_regular_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); }; source s_solaris_syslog { tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); }; log { source(s_regular_syslog); destination(d_regular_destination); }; log { source(s_solaris_syslog); destination(d_solaris_syslog); }; ---- option #2 Using a tagged source. - you must fill in the IP addresses and port numbers source s_all_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); }; filter f_solaris { tags("solaris_syslog"); }; log { source(s_all_syslog) log { filter(f_solaris); destination(d_solaris_syslog); flags(final); }; log { destination(d_regular_destination); }; }; I hope that gives you the basics of what is needed. On 10/29/2015 12:41 PM, vijay amruth wrote:
Thank you Evan, great idea! Can we achieve this with regex on syslog-ng.conf file on the server side?
Thank you, ~Vj
On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel@uvic.ca <mailto:erempel@uvic.ca>> wrote:
You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.
Just my $0.02
On 10/29/2015 12:22 PM, vijay amruth wrote:
Thank you fo rthe reply Balazs.
Can we use filter functions like this below ?
filter f_solaris { host('uname == solaris') }
My idea is to identify solaris servers.
Thanks all, ~Vj
On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
Well, probably the only sensible way is to filter based on IP addresses.
On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com <mailto:vijayamruth@gmail.com>> wrote:
Hello All,
We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?
Thanks, Vijay Amrut.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Thanks, Vijay Amrut.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Thanks, Vijay Amrut.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria