So it will have the opposite affect of what I wanted then... anything that matches host1 will set match=1 and DEFAULT won't match. Heh, somehow I find it amusing that my logic was completely backwards. Or maybe I'm up too late. :-)
Correct :) Your rules have two filter statements, it's only the filter(host1); and not the filter(DEFAULT); which is causing any action. -- afort
i think it might be a better idea to do it one of these ways: for each match, increment a variable. add a filter(DEFAULT=x) where that filter only matches if the variable is set to that number(or possibly lower?) . this allows you to write a few filter statements and say "ok this packet should be matched by rules #1,2,3 so, the number of matches is 3. now i set filter(DEFAULT=3) to match any other packets" this gives you a bit more control over it in that you can still have multiple matches, and DEFAULT will still log some things or... set the default filter to include a hostname and a variable number like above. this way you can match against several hosts and count the matches as described above. this allows for a bit more flexibility then above. a missing hostname could get interpreted as all hosts. this functionality could also be built into the functions that receive the packets and store the "matched x times" variable" On Wed, Dec 13, 2000 at 03:30:26PM +1000, Andrew Fort wrote: | > So it will have the opposite affect of what I wanted then... anything | > that matches host1 will set match=1 and DEFAULT won't match. Heh, | > somehow I find it amusing that my logic was completely backwards. Or | > maybe I'm up too late. :-) | | Correct :) Your rules have two filter statements, it's only the | | filter(host1); | | and not the filter(DEFAULT); which is causing any action. | | -- | afort | | _______________________________________________ | syslog-ng maillist - syslog-ng@lists.balabit.hu | https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Wed, Dec 13, 2000 at 11:31:43AM -0500, jon@dumbo.pobox.com wrote:
i think it might be a better idea to do it one of these ways:
[snip] Interesting... My personal bent (based on my personal need, of course ;) is to have filter(DEFAULT) work with any other filter. So something like log { source(src); filter(host1); filter(kern); filter(DEFAULT); \ destination(host1-kern); }; ...would capture any kernel messages from host1 that haven't been captured by any other rule. That would really make my week :-) Interestingly enough, if you move filter(DEFAULT) to be the FIRST filter in a log rule, you get an error if there are any other filter()'s there. There is no error if it's anywhere else though...
On Wed, Dec 13, 2000 at 03:30:26PM +1000, Andrew Fort wrote: | > So it will have the opposite affect of what I wanted then... anything | > that matches host1 will set match=1 and DEFAULT won't match. Heh, | > somehow I find it amusing that my logic was completely backwards. Or | > maybe I'm up too late. :-) | | Correct :) Your rules have two filter statements, it's only the | | filter(host1); | | and not the filter(DEFAULT); which is causing any action.
how do i use syslog-ng with a cisco 2501 -dave ----------------------------------- David Gladstone Data Center Manager Automated Financial Systems a BROKAT Company (212) 771-1927 cell: (718) 930-3708
There isn't anything specific to syslog-ng with Cisco routers. Syslog and syslog-ng can both capture output from cisco routers, but you have to configure the router for that. Look on cisco's site on how to set up the router to log to a remote host. Pretty easy. Once you've gotten the router sending the data, and the remote host accepting the data, then you can tweak syslog-ng or syslog to do your bidding. I use syslog-ng specifically because it has the nice macro facility that will create files as messages of a specific priority are received by the host. I don't think syslog will even create files. Using destination router { file(router.$PRIORITY)}; it will create router.err for error messages, and so on. I hope that helps. I figured I'd put in my .02. Thanks, Brian Seppanen On Fri, 15 Dec 2000, David Gladstone wrote:
To: syslog-ng@lists.balabit.hu From: David Gladstone <david@automatedfinancial.com> Subject: [syslog-ng]syslog-ng with cisco
how do i use syslog-ng with a cisco 2501
-dave
----------------------------------- David Gladstone Data Center Manager Automated Financial Systems a BROKAT Company (212) 771-1927 cell: (718) 930-3708
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Brian Seppanen Charter Communications Regional Data Center 906-228-4226 ext 23 Marquette, MI seppy@chartermi.net
participants (5)
-
Andrew Fort
-
Brian E. Seppanen
-
David Gladstone
-
jon@dumbo.pobox.com
-
William Yodlowsky