@version: 3.2 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # https://www.balabit.com/support/documentation # @include "scl.conf" options { flush_lines (0); time_reopen (10); log_fifo_size (2048); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (no); stats_freq(86400); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; ### MYAPP Dev Logs ### ## DEVENV ## source src_devenv { udp(ip(0.0.0.0) port(514)); }; filter f_devenv_01ui { netmask(10.22.206.0/24); }; filter f_devenv_02gw { netmask(10.22.207.0/24); }; filter f_devenv_03api { netmask(10.22.208.0/24); }; filter f_devenv_04net { netmask( "10.22.209.0/24" ); }; filter f_devenv_05bat { netmask(10.22.210.0/24); }; destination d_devenv_01ui { file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_02gw { file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_03api { file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_04net { file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_05bat { file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); }; log { source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); }; log { source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); }; log { source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); }; log { source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); }; ## MYAPP ALL ## source src_MYAPP { udp(ip(0.0.0.0) port(514)); }; destination d_MYAPP { file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_MYAPP); destination(d_MYAPP); }; #source external { tcp(); }; #source external { udp(); }; #destination d_hosts { file("/home/syslog/$HOST/application.log" owner("syslog") group("syslog") perm(0600)); }; destination d_mesg { file("/var/log/messages"); }; #destination d_cons { file("/dev/console"); }; #destination d_auth { file("/var/log/secure"); }; #destination d_mail { file("/var/log/maillog" flush_lines(10)); }; #destination d_spol { file("/var/log/spooler"); }; #destination d_boot { file("/var/log/boot.log"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_kern { file("/var/log/kern"); }; #destination d_mlal { usertty("*"); }; #destination d_all { file("/var/log/splunk"); }; log { source(s_sys); destination(d_mesg); }; #log { source(external); destination(d_hosts); }; From: Christian Turner Sent: Wednesday, August 3, 2016 11:53 AM To: 'syslog-ng@lists.balabit.hu' <syslog-ng@lists.balabit.hu> Subject: RE: sylog-ng filters not working Hi, I have the following filter configured; source src_devenv01 { udp(ip(0.0.0.0) port(514)); }; filter f_devenv01_04net { netmask(10.22.209.0/24); }; destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); }; However, the filter does not work, and the logs from this source all go to the generic logging destination. I perform an strace and I can see that the IP appears as expected, so I'm figuring I have a syntax error somewhere; [pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("10.22.209.10")}, [16]) = 265 Christian Turner