Hi John, John Kristoff wrote:
I have a couple of scenarios where I'm looking to enhance how I handle and process some logs. I'm looking for suggestions on what my options are, but maybe these are potential feature requests?
1. In using a parser (cvs or the patterndb), I'd like to use some conditionals based on a resultant macro value. So for example, if I have an sshd authentication log message with a source address in a macro and that address is contained w/in a specific prefix, I'd like to handle that message differently. Perhaps not log it all or set another MACRO to a certain value.
You can filter on the results of your message parsing and use embedded log statements to handle messages differently based on the values of the parsers. You need a filter that selects program(sshd), netmask(), and tag(how-you-tag-sshd-auth-messages). For embedded logpaths, see http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/config... and http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/refere... for the various filters. HTH Robert
2. I'd like to be able to suppress duplicate messages even if they are not necessarily contiguous at the destination. So for example, if I have a SSH client that generates a log of its SSH client protocol and software, I don't need to see that over and over again (e.g. as you might commonly see today in SSH brute force attacks).
AFAIK,
John ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html