On Fri, May 12, 2006 at 07:04:26PM -0400, Mark R. White wrote:
Thanks for all the help I've received so far. Although, I'm still not able to do what I need to do. Right now, I just want to log one specific device to a specific log file. One email I received said I should use the netmask filter option, although for some reason, my system doesn't like that option.
What version? I know that netmask() existed in 1.6.9, and current is 1.6.11. Perhaps you should start with a very tiny config file, like this: ------------------------------------------------------------------ source s_sys { udp( ip( 0.0.0.0 ) ); tcp( ip( 0.0.0.0 ) ); }; destination d_pix { file( "/var/log/pix.log" ); }; filter f_pix { netmask( "10.10.10.4" ); }; log { source(s_sys); filter(f_pix); destination(d_pix); } ------------------------------------------------------------------ If that still doesn't log anything, then run tcpdump on this host to prove that syslog packets *are* actually arriving, and the source address really is 10.10.10.4 (e.g. the PIX might be sending them with a loopback address as its source). Try: tcpdump -i eth0 -n -s1500 -v udp port 514 Note: if your machine has multiple IP addresses, then you can bind syslog-ng to a single one by changing 0.0.0.0 in the config above to that address. That allows you to run a traditional syslogd and syslog-ng simultaneously on the same machine, listing on different IP interfaces. HTH, Brian.