Is this possible in syslog-ng.conf . (v2.0.2)
Hello All , While I haven't seen any examples of this type of definition of a 'source net' around I am hoping we can do something like ... Not the formatting BUT the /24 &/or the netmask'ing . source net { udp( ip( 199.33.245.0/24, # or 199.33.245.0/255.255.255.0, ... 205.141.166.0/24 ) port(514) ); }; The structured formatting would also be kind cool , I come from a heavy backgroud in GateD , And much later JunOS . Tia , JimL -- +-----------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | 663 Beaumont Blvd | Give me Linux | | babydr@baby-dragons.com | Pacifica, CA. 94044 | only on AXP | +-----------------------------------------------------------------+
On Sun, 2007-02-18 at 00:43 -0800, Mr. James W. Laferriere wrote:
Hello All , While I haven't seen any examples of this type of definition of a 'source net' around I am hoping we can do something like ... Not the formatting BUT the /24 &/or the netmask'ing .
source net { udp( ip( 199.33.245.0/24, # or 199.33.245.0/255.255.255.0, ... 205.141.166.0/24 ) port(514) ); };
The source statement defines a listener and does not apply any filtering on incoming syslog datagrams. To do that you need the netmask() filter. -- Bazsi
Hello Balazs , On Sun, 18 Feb 2007, Balazs Scheidler wrote:
On Sun, 2007-02-18 at 00:43 -0800, Mr. James W. Laferriere wrote:
Hello All , While I haven't seen any examples of this type of definition of a 'source net' around I am hoping we can do something like ... Not the formatting BUT the /24 &/or the netmask'ing .
source net { udp( ip( 199.33.245.0/24, # or 199.33.245.0/255.255.255.0, ... 205.141.166.0/24 ) port(514) ); };
The source statement defines a listener and does not apply any filtering on incoming syslog datagrams.
Ok . IMO counter intuitive , Tho reasonable with your explanation . One is very used to the 'source' in FW/router/...'s as being the source device(s) IP from where a packet came from . An aside , Can one do the 'Formatting' like my example above , again no examples show up like that , but I am hopeful .
To do that you need the netmask() filter.
Next time I'll go looking at the Blog at Gmane first before shooting my mouth off . netmask was just the hint I needed . Tho it sure would be nice for netmask() to support the /xx bits netmask format . Tnx & Tia , JimL -- +-----------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | 663 Beaumont Blvd | Give me Linux | | babydr@baby-dragons.com | Pacifica, CA. 94044 | only on AXP | +-----------------------------------------------------------------+
On Sun, 2007-02-18 at 16:48 -0800, Mr. James W. Laferriere wrote:
Ok . IMO counter intuitive , Tho reasonable with your explanation . One is very used to the 'source' in FW/router/...'s as being the source device(s) IP from where a packet came from .
syslog-ng is not a firewall :) this is sometimes strange to me as well, being involved in firewall products as well. But putting the joke aside, syslog-ng is a "syslog message pipe" processor: sources generate messages, destinations serve as message sinks. Some filtering here and there, that's about syslog-ng's internal structure. So, naming source as a source is consistent with syslog-ng itself.
An aside , Can one do the 'Formatting' like my example above , again no examples show up like that , but I am hopeful .
To do that you need the netmask() filter.
Next time I'll go looking at the Blog at Gmane first before shooting my mouth off . netmask was just the hint I needed . Tho it sure would be nice for netmask() to support the /xx bits netmask format .
It does support this format. -- Bazsi
Balazs Scheidler wrote:
On Sun, 2007-02-18 at 16:48 -0800, Mr. James W. Laferriere wrote:
Ok . IMO counter intuitive , Tho reasonable with your explanation . One is very used to the 'source' in FW/router/...'s as being the source device(s) IP from where a packet came from .
syslog-ng is not a firewall :) this is sometimes strange to me as well, being involved in firewall products as well. But putting the joke aside, syslog-ng is a "syslog message pipe" processor: sources generate messages, destinations serve as message sinks. Some filtering here and there, that's about syslog-ng's internal structure.
So, naming source as a source is consistent with syslog-ng itself.
I think that the author of the original comment was refereing to the IP address binding in the source definition source network { tcp( ip(xxxx) ); }; where the IP address is NOT the source at all, it is a local IP address to bind the listener to. Perhaps the syntax should be source network { tcp( bind(xxxx) ); }; since the bind address MUST be ip since the definition is already defined to be tcp. I think it is a little counter intuitive even within the scope of syslog-ng. Evan.
An aside , Can one do the 'Formatting' like my example above , again no examples show up like that , but I am hopeful .
To do that you need the netmask() filter. Next time I'll go looking at the Blog at Gmane first before shooting my mouth off . netmask was just the hint I needed . Tho it sure would be nice for netmask() to support the /xx bits netmask format .
It does support this format.
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
On Mon, 2007-02-19 at 09:02 -0800, Evan Rempel wrote:
Balazs Scheidler wrote:
On Sun, 2007-02-18 at 16:48 -0800, Mr. James W. Laferriere wrote:
Ok . IMO counter intuitive , Tho reasonable with your explanation . One is very used to the 'source' in FW/router/...'s as being the source device(s) IP from where a packet came from .
syslog-ng is not a firewall :) this is sometimes strange to me as well, being involved in firewall products as well. But putting the joke aside, syslog-ng is a "syslog message pipe" processor: sources generate messages, destinations serve as message sinks. Some filtering here and there, that's about syslog-ng's internal structure.
So, naming source as a source is consistent with syslog-ng itself.
I think that the author of the original comment was refereing to the IP address binding in the source definition
source network { tcp( ip(xxxx) ); };
where the IP address is NOT the source at all, it is a local IP address to bind the listener to. Perhaps the syntax should be
source network { tcp( bind(xxxx) ); };
since the bind address MUST be ip since the definition is already defined to be tcp.
I think it is a little counter intuitive even within the scope of syslog-ng.
ip is an alias for localip(), but it's true that all examples use ip(). -- Bazsi
participants (3)
-
Balazs Scheidler
-
Evan Rempel
-
Mr. James W. Laferriere