Hi, . I am trying to use syslog-ng to collect syslogs from routers, but I would like the logs from the same network to be logged in one file IE: all logs from 66.163.79.0/25 and 64.251.65.224/28 --> to be stored in /ipbb All logs from 204.209.214.0/23 --> to be stored in /ipbb_lab How can I do this using syslog-ng? How do I log IP addresses of the same network into the same file? There is a filter in syslog-ng called netmask() --it checks the sender's IP address to see whether it is in the specified IP subnet Syntax: netmask(ip/mask) So I created a filter see below: filter f_ipbb { netmask("66.163.79.0/25"); }; So my logic on this was If the syslog is from an IP address in this network/subnet then it should get logged to where I specified it to.... Unfortunately: As seen below I got syslogs from the following IP addresses: root@K3 store # ls 64.251.65.229 66.163.79.2 66.163.79.37 66.163.79.42 But the file only logged one syslog : root@K3 test # cat syslogs/2005-07-25 Jul 25 13:37:52 66.163.79.2/66.163.79.2 34118: Jul 25 13:38:15.053 MDT: %BGP-4-MAXPFX: No. of prefix received from 206.223.116.11 (afi 0) reaches 5893, max 7000 Do you have any idea why? As seen below, I have tried: filter f_test { netmask("66.163.79.0/255.255.255.128"); }; <-- gives no results filter f_ipbb { netmask("66.163.79.0/25"); };<-- only give syslogs from 66.163.79.2 Any thing that I might be doing wrong that I can't see? Is there a bug with syslog-ng? Thank you very much Kelly :-) Below is my syslog-ng.conf file: Syslog-ng/conf file: ******************************************************************** options { long_hostnames(yes); keep_hostname(yes); use_fqdn(on); create_dirs(yes); owner(nmadmin); group(users); perm(0755); dir_owner(nmadmin); dir_group(users); dir_perm(0755); sync(0); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats(43200); }; source src{unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; filter f_messages { not level(warn); }; log { source(src); filter(f_messages); destination(messages); }; #filter for ipbb filter f_ipbb { netmask("66.163.79.0/25"); }; filter f_ipbb2 { netmask("64.251.65.224/28"); }; #test configuration for loggin cisco devices source net { udp(); }; destination ipbb_lab_syslogs { file("/store/ipbb_lab/syslogs/$YEAR-$MONTH-$DAY"); }; destination ipbb_syslogs { file("/store/test/syslogs/$YEAR-$MONTH-$DAY"); }; destination all { file("/store/$HOST"); }; log { source(net); destination(all); }; log { source(net); filter(f_ipbb); destination(ipbb_syslogs); }; <-- only collects syslogs from 66.163.79.2 log { source(net); destination(ipbb_lab_syslogs); }; #testing for stripping filter f_test { netmask("66.163.79.0/255.255.255.128"); }; destination d_test { file("/store/test1"); }; log { source(src);filter(f_test); destination(d_test); }; <--Gives no results #for SNMPTRAP destination ipbb_lab_traps { file("/store/ipbb_lab/traps/$YEAR-$MONTH-$DAY"); }; destination ipbb_traps { file("/store/ipbb/traps/$YEAR-$MONTH-$DAY"); }; #filter snmptrap filter f_snmptrap { level(warn); }; log { source(src); filter (f_snmptrap); destination(ipbb_lab_traps); }; <-- In test Mode- Traps also needs to be filtered to be stored in their network file log { source(src); filter (f_snmptrap); filter(f_ipbb); filter(f_ipbb2); destination(ipbb_traps); }; **************************************************************************** **************************************************************************** ******************************** Kelly Pow IP Backbone Networks Intern Shaw CableSystems G.P Tel: 1.403.303.6387 kelly.pow@sjrb.ca <mailto:kelly.pow@sjrb.ca>