I am trying to remove a specific set of hosts from a network range using filters. for example, I have the following: filter f_home_subnet { ( netmask("192.168.0.0/24") ); }; I now want to exclude some specific hosts, let's say 192.168.0.10 and 192.168.0.20. My attempts of adding "not host" to the above doesn't seem to work. Any pointers / suggestions would be greatly appreciated. Thanks, Ian
Should be able to use booleans here, Either in the filter or in the log statement: either within the filter: filter f_some_but_not_all { netmask( "192.168.0.0/24") and not ( (netmask("192.168.0.1/32") or (netmask("192.168.0.11/32") ); }; or like this filter f_home_net { netmask("192.168.0.0/24"); }; filter f_home_exclusions { not ( netmask("192.168.0.1/32") or netmask("192.168.0.11/32") ); }; log { source(s_network); filter(f_home_net); filter(f_home_exclusions); destination(d_some_dest); }; Jim ---- Ian Hasund <ian@hasund.us> wrote:
I am trying to remove a specific set of hosts from a network range using filters.
for example, I have the following:
filter f_home_subnet { ( netmask("192.168.0.0/24") ); };
I now want to exclude some specific hosts, let's say 192.168.0.10 and 192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks, Ian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks. I discovered my issue when testing. I was using "host" and my server was sending as its hostname versus IP. As soon as I changed to "netmask", this worked. Thanks for the quick feedback. /Ian -----Original Message----- From: jrhendri@roadrunner.com [mailto:jrhendri@roadrunner.com] Sent: Monday, March 31, 2014 10:54 AM To: Syslog-ng users' and developers' mailing list Cc: Ian Hasund Subject: Re: [syslog-ng] Filter out host from netmask range Should be able to use booleans here, Either in the filter or in the log statement: either within the filter: filter f_some_but_not_all { netmask( "192.168.0.0/24") and not ( (netmask("192.168.0.1/32") or (netmask("192.168.0.11/32") ); }; or like this filter f_home_net { netmask("192.168.0.0/24"); }; filter f_home_exclusions { not ( netmask("192.168.0.1/32") or netmask("192.168.0.11/32") ); }; log { source(s_network); filter(f_home_net); filter(f_home_exclusions); destination(d_some_dest); }; Jim ---- Ian Hasund <ian@hasund.us> wrote:
I am trying to remove a specific set of hosts from a network range using filters.
for example, I have the following:
filter f_home_subnet { ( netmask("192.168.0.0/24") ); };
I now want to exclude some specific hosts, let's say 192.168.0.10 and 192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks, Ian
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
cool. personally I like netmask since I have seen far too many broken syslog formats that mess with the HOST macros (although I have been told that parsing speed should be about the same either way) ---- Ian Hasund <ian@hasund.us> wrote:
Thanks. I discovered my issue when testing. I was using "host" and my server was sending as its hostname versus IP. As soon as I changed to "netmask", this worked.
Thanks for the quick feedback.
/Ian
-----Original Message----- From: jrhendri@roadrunner.com [mailto:jrhendri@roadrunner.com] Sent: Monday, March 31, 2014 10:54 AM To: Syslog-ng users' and developers' mailing list Cc: Ian Hasund Subject: Re: [syslog-ng] Filter out host from netmask range
Should be able to use booleans here, Either in the filter or in the log statement:
either within the filter: filter f_some_but_not_all { netmask( "192.168.0.0/24") and not ( (netmask("192.168.0.1/32") or (netmask("192.168.0.11/32") ); };
or like this filter f_home_net { netmask("192.168.0.0/24"); };
filter f_home_exclusions { not ( netmask("192.168.0.1/32") or netmask("192.168.0.11/32") ); };
log { source(s_network); filter(f_home_net); filter(f_home_exclusions); destination(d_some_dest); };
Jim
---- Ian Hasund <ian@hasund.us> wrote:
I am trying to remove a specific set of hosts from a network range using filters.
for example, I have the following:
filter f_home_subnet { ( netmask("192.168.0.0/24") ); };
I now want to exclude some specific hosts, let's say 192.168.0.10 and 192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks, Ian
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
The host filter applies to the $HOST field. Just use the netmask filter with 32 as mask. On Mar 31, 2014 2:31 PM, "Ian Hasund" <ian@hasund.us> wrote:
I am trying to remove a specific set of hosts from a network range using filters.
for example, I have the following:
filter f_home_subnet { ( netmask("192.168.0.0/24") ); };
I now want to exclude some specific hosts, let's say 192.168.0.10 and 192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks, Ian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Ian Hasund
-
jrhendri@roadrunner.com