Re: [syslog-ng] sylog-ng filters not working
Hi, I have the following filter configured; source src_devenv01 { udp(ip(0.0.0.0) port(514)); }; filter f_devenv01_04net { netmask(10.22.209.0/24); }; destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); }; However, the filter does not work, and the logs from this source all go to the generic logging destination. I perform an strace and I can see that the IP appears as expected, so I'm figuring I have a syntax error somewhere; [pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("10.22.209.10")}, [16]) = 265 Christian Turner
Hello Christian, Syslog-ng would issue a warning had there been a syntax error. (You can check your config files for syntax errors with the -svf <configfile> parameters set.) To me it seems that the filter you've set up for that specific IP range "f_devenv01_04net" is not the same that you seem to be using in your log stanza ("f_devenv_04net"). Best Regards, János Szigetvári -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp 2016-08-03 17:52 GMT+02:00 Christian Turner <cturner@highroads.com>:
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
*Christian Turner*
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Still same issue On Aug 3, 2016 10:35 PM, "SZIGETVÁRI János" <jszigetvari@gmail.com> wrote:
Hello Christian,
Syslog-ng would issue a warning had there been a syntax error. (You can check your config files for syntax errors with the -svf <configfile> parameters set.)
To me it seems that the filter you've set up for that specific IP range "f_devenv01_04net" is not the same that you seem to be using in your log stanza ("f_devenv_04net").
Best Regards, János Szigetvári
-- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
2016-08-03 17:52 GMT+02:00 Christian Turner <cturner@highroads.com>:
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
*Christian Turner*
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello, Then we'd need to take a look at your whole config. Could you please attach it? Thanks! János 2016-08-03 19:22 GMT+02:00 Harsha S Aryan <harsha.s.aryan@gmail.com>:
Still same issue
On Aug 3, 2016 10:35 PM, "SZIGETVÁRI János" <jszigetvari@gmail.com> wrote:
Hello Christian,
Syslog-ng would issue a warning had there been a syntax error. (You can check your config files for syntax errors with the -svf <configfile> parameters set.)
To me it seems that the filter you've set up for that specific IP range "f_devenv01_04net" is not the same that you seem to be using in your log stanza ("f_devenv_04net").
Best Regards, János Szigetvári
-- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
2016-08-03 17:52 GMT+02:00 Christian Turner <cturner@highroads.com>:
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
*Christian Turner*
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello, The log message is the following from the strace:
<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]...
As I see the IP address is ::1 in the message, as the hostname (or IP address) comes after the timestamp. So in this case the IPv4 filter won't kick in for an IPv6 address. Kind regards, Gergely Csordás On 08/03/2016 07:22 PM, Harsha S Aryan wrote:
Still same issue
On Aug 3, 2016 10:35 PM, "SZIGETVÁRI János" <jszigetvari@gmail.com <mailto:jszigetvari@gmail.com>> wrote:
Hello Christian,
Syslog-ng would issue a warning had there been a syntax error. (You can check your config files for syntax errors with the -svf <configfile> parameters set.)
To me it seems that the filter you've set up for that specific IP range "f_devenv01_04net" is not the same that you seem to be using in your log stanza ("f_devenv_04net").
Best Regards, János Szigetvári
-- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
2016-08-03 17:52 GMT+02:00 Christian Turner <cturner@highroads.com <mailto:cturner@highroads.com>>:
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24 <http://10.22.209.0/24>); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
*Christian Turner*
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- GPG: F9F734B5 Ezen üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett használhatja fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie. Az üzenet az elküldés előtt vírusellenőrzésen nem esett át és a vírusmentességére nincs semmilyen garancia, ezért kérjük, ellenőrizze azt! Email communication is confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email you must neither take any action based upon its contents nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.
Hello Gergő, 2016-08-03 19:43 GMT+02:00 Gergely Csordás <sirnelkher@gmail.com>:
<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]...
As I see the IP address is ::1 in the message, as the hostname (or IP address) comes after the timestamp.
So in this case the IPv4 filter won't kick in for an IPv6 address.
The netmask() filter does not check the contents of the HOST macro, but rather uses the sender's IP address for the comparison: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-ose-... As per the strace, the UDP package in deed seems to originate from 10.22.209.10. Regards, János
participants (4)
-
Christian Turner
-
Gergely Csordás
-
Harsha S Aryan
-
SZIGETVÁRI János