can two destinations refer to the same file?
Hi there I'm wanting to configure syslog-ng so that I have two different filters that are associated with two different destinations - which have the same filename - but different templates. The issue I have is that we have a range of syslog clients, which may or may not have trustworthy clocks. So I default to ignoring their timestamps and use the syslog servers clock, except for the hosts I know to also use NTP. What I want to confirm is that syslog-ng will happily open /var/log/messages ONCE and will parse the following the way I intend? ie #clocks on unix systems (which are named 'blah-unix-number') are always configured correctly filter f_goodclock { host("-unix-") }; #can't trust everything else filter f_badclock { not host("-unix-") }; destination d_badclock_messages { file("/var/log/messages" template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") }; destination d_goodclock_messages { file("/var/log/messages" template("$S_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") }; log { ... filter(f_badclock); destination(d_badclock_messages);}; log { ... filter(f_goodclock); destination(d_goodclock_messages);}; Should that work as I hope? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Hi! I have (more or less) copy&pasted your config and I can confirm it works as you expect;-) I tested with 3.0.3 OSE. Best wishes, Peter On Sun, 2009-10-25 at 09:14 +1300, Jason Haar wrote:
Hi there
I'm wanting to configure syslog-ng so that I have two different filters that are associated with two different destinations - which have the same filename - but different templates. The issue I have is that we have a range of syslog clients, which may or may not have trustworthy clocks. So I default to ignoring their timestamps and use the syslog servers clock, except for the hosts I know to also use NTP. What I want to confirm is that syslog-ng will happily open /var/log/messages ONCE and will parse the following the way I intend?
ie
#clocks on unix systems (which are named 'blah-unix-number') are always configured correctly filter f_goodclock { host("-unix-") }; #can't trust everything else filter f_badclock { not host("-unix-") }; destination d_badclock_messages { file("/var/log/messages" template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") }; destination d_goodclock_messages { file("/var/log/messages" template("$S_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") }; log { ... filter(f_badclock); destination(d_badclock_messages);}; log { ... filter(f_goodclock); destination(d_goodclock_messages);};
Should that work as I hope?
-- Höltzl Péter CISA, IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 9667 BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875 Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatják fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
On 10/26/2009 08:20 AM, Höltzl Péter wrote:
Hi!
I have (more or less) copy&pasted your config and I can confirm it works as you expect;-) I tested with 3.0.3 OSE.
Great - I was really after confirmation that what I was trying to do was actually supported. I wouldn't want to implement it, and then find out a few releases later that it breaks because I made an assumption that was no longer valid Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On Mon, 2009-10-26 at 10:42 +1300, Jason Haar wrote:
On 10/26/2009 08:20 AM, Höltzl Péter wrote:
Hi!
I have (more or less) copy&pasted your config and I can confirm it works as you expect;-) I tested with 3.0.3 OSE.
Great - I was really after confirmation that what I was trying to do was actually supported. I wouldn't want to implement it, and then find out a few releases later that it breaks because I made an assumption that was no longer valid
The current implementation of syslog-ng ensures that opening the same file in two distinct file destinations will work. I didn't intend this behaviour, however many people depend on it, thus I'll support it. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Höltzl Péter
-
Jason Haar