syslog-ng and regex
Hello, i am very new at syslog-ng and at its list. I am running two Debian GNU/Linux boxes. One as a DSL Router and the other as my workstation. Today i have installed syslog-ng via apt-get (1.5.15-1.1). I tried to setup remote logging. I want my router/firewall logging additional to my workstation. On the router i have the following entries in syslog-ng.conf Hostname of router = xenia
--- cut here ---- destination loghost {udp("192.168.1.1" port(514));}; log { source(src); destination(loghost); }; --- cut here ----
Hostname of workstation = kaliba On my workstation i have in syslog-ng.conf:
--- cut here ---- destination rlogging { file("/var/log/syslog-ng/$HOST/syslog.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); };
filter f_xenia { match("xenia"); }; log { source(src); filter(f_xenia); destination(rlogging); };
--- cut here ----
I am not sure if this setup is correct. May you can give me some advices. If it is necessary to have my configs, please tell me, i will post them afterwards. Now i have a seceond question, on my workstation runs a cron job which looks for new antivir definition file or new program version (binary file). I tried to put the syslog entries in a separate file. Can i use regex in the match()? May like this: match("antivir\[[0-9]+\]") to catch antivir[19129]
--- cut here ---- destination antivir { file("/var/log/antivir.log"); }; filter f_antivir { match("kaliba antivir"); }; log { source(src); filter(f_antivir); destination(antivir); }; --- cut here ----
But the logfile entries does not arrive in /var/log/antivir.log. Did i anything wrong? Best regards, Micha Holzmann -- My software never has bugs. It just develops random features.
Micha, Since you are using private IP addressing space, and you don't indicate that you have a DNS set up to resolve the xenia and kaliba names it may be better for you to try something like: filter xenia { host("192.168.1.2"); }; Dave Micha Holzmann wrote:
Hello,
i am very new at syslog-ng and at its list. I am running two Debian GNU/Linux boxes. One as a DSL Router and the other as my workstation.
Today i have installed syslog-ng via apt-get (1.5.15-1.1).
I tried to setup remote logging. I want my router/firewall logging additional to my workstation. On the router i have the following entries in syslog-ng.conf
Hostname of router = xenia
--- cut here ----
destination loghost {udp("192.168.1.1" port(514));}; log { source(src); destination(loghost); };
--- cut here ----
Hostname of workstation = kaliba On my workstation i have in syslog-ng.conf:
--- cut here ----
destination rlogging { file("/var/log/syslog-ng/$HOST/syslog.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); };
filter f_xenia { match("xenia"); };
log { source(src); filter(f_xenia); destination(rlogging); };
--- cut here ----
I am not sure if this setup is correct. May you can give me some advices. If it is necessary to have my configs, please tell me, i will post them afterwards.
Now i have a seceond question, on my workstation runs a cron job which looks for new antivir definition file or new program version (binary file). I tried to put the syslog entries in a separate file.
Can i use regex in the match()? May like this: match("antivir\[[0-9]+\]") to catch antivir[19129]
--- cut here ----
destination antivir { file("/var/log/antivir.log"); }; filter f_antivir { match("kaliba antivir"); }; log { source(src); filter(f_antivir); destination(antivir); };
--- cut here ----
But the logfile entries does not arrive in /var/log/antivir.log. Did i anything wrong?
Best regards, Micha Holzmann
With the new version being available, are there any documents on the new capabilities for templates and such? Richard
On Monday 24 February 2003 20:15, Richard E. Perlotto II wrote:
With the new version being available, are there any documents on the new capabilities for templates and such?
Not yet, it's still missing (even in the snapshot syslog-ng-1.6rc1+20030224). But the "new capabilities for templates" are the implementation of the well known "template()" and "template_escape()" options of the "file" destination driver to all other destination drivers. The syntax is the same. Thus you can define destination drivers like destination d_net { tcp( "loghost" port(10514) template("$ISODATE $HOST $MSG\n") template_escape(yes) ); }; destination d_user { usertty("achim" template("$ISODATE $HOST [$FACILITY.$LEVEL] $MSG\n") template_escape(yes) ); }; etc .... Achim
On Mon, Feb 24, 2003 at 11:29:05PM +0100, Achim Gsell wrote:
On Monday 24 February 2003 20:15, Richard E. Perlotto II wrote:
With the new version being available, are there any documents on the new capabilities for templates and such?
Not yet, it's still missing (even in the snapshot syslog-ng-1.6rc1+20030224). But the "new capabilities for templates" are the implementation of the well known "template()" and "template_escape()" options of the "file" destination driver to all other destination drivers. The syntax is the same. Thus you can define destination drivers like
what do you miss, the documentation or your patch? the patch _is_ integrated. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tuesday 25 February 2003 08:48, Balazs Scheidler wrote:
On Mon, Feb 24, 2003 at 11:29:05PM +0100, Achim Gsell wrote:
On Monday 24 February 2003 20:15, Richard E. Perlotto II wrote:
With the new version being available, are there any documents on the new capabilities for templates and such?
Not yet, it's still missing (even in the snapshot syslog-ng-1.6rc1+20030224). But the "new capabilities for templates" are the implementation of the well known "template()" and "template_escape()" options of the "file" destination driver to all other destination drivers. The syntax is the same. Thus you can define destination drivers like
what do you miss, the documentation or your patch? the patch _is_ integrated.
Only the the documentation :-) But I can write the missing stuff ... Achim
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at: ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng-1.6.0rc1 Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well. Richard
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng-1.6.0rc1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
can you check the patch by Blaise St-Laurent? He created a similar patch and I would prefer adding a unified patch. Here is the URL of Blaise's patch: https://lists.balabit.hu/pipermail/syslog-ng/2003-February/004669.html -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
My patch was for RedHat Linux 8.0. There shouldn't be too big a difference, but it's always nice to have Mandrake specific RPMS as well (there are different packaging standards for the two of them)
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Friday, February 28, 2003 3:47 AM To: syslog-ng@lists.balabit.hu Cc: bstlaurent@okiok.com Subject: Re: [syslog-ng]New SPEC/CONF files
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng-1.6.0rc1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
can you check the patch by Blaise St-Laurent? He created a similar patch and I would prefer adding a unified patch.
Here is the URL of Blaise's patch:
https://lists.balabit.hu/pipermail/syslog-ng/2003-February/004669.html
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Correct, Blaise you may want to take a look at my SPEC file and see where it differentiates from yours. Perhaps mine will work for both. I had included pointers to several other init files that are not normally included. Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Blaise St-Laurent Sent: Friday, February 28, 2003 7:12 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]New SPEC/CONF files
My patch was for RedHat Linux 8.0. There shouldn't be too big a difference, but it's always nice to have Mandrake specific RPMS as well (there are different packaging standards for the two of them)
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Friday, February 28, 2003 3:47 AM To: syslog-ng@lists.balabit.hu Cc: bstlaurent@okiok.com Subject: Re: [syslog-ng]New SPEC/CONF files
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng- 1.6.0r c1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
can you check the patch by Blaise St-Laurent? He created a similar patch and I would prefer adding a unified patch.
Here is the URL of Blaise's patch:
https://lists.balabit.hu/pipermail/syslog-ng/2003-February/004669.html
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
ok, your spec file is MUCH cleaner and better written then mine, let's go with yours. From what i can see, there should be no problem building it with RedHat, just be sure not to put a dependency on mysql.
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Richard E. Perlotto II Sent: Friday, February 28, 2003 6:45 PM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]New SPEC/CONF files
Correct, Blaise you may want to take a look at my SPEC file and see where it differentiates from yours. Perhaps mine will work for both. I had included pointers to several other init files that are not normally included.
Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Blaise St-Laurent Sent: Friday, February 28, 2003 7:12 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]New SPEC/CONF files
My patch was for RedHat Linux 8.0. There shouldn't be too big a difference, but it's always nice to have Mandrake specific RPMS as well (there are different packaging standards for the two of them)
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Friday, February 28, 2003 3:47 AM To: syslog-ng@lists.balabit.hu Cc: bstlaurent@okiok.com Subject: Re: [syslog-ng]New SPEC/CONF files
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng- 1.6.0r c1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
can you check the patch by Blaise St-Laurent? He created a similar patch and I would prefer adding a unified patch.
Here is the URL of Blaise's patch:
https://lists.balabit.hu/pipermail/syslog-ng/2003-February/004669.html
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng-1.6.0rc1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
I was about to integrate the spec files but I am unable to resolve ftp.cataphract.com can you provide an alternate location (or IP address?) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Thu, Apr 10, 2003 at 10:22:00AM +0200, Balazs Scheidler wrote:
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng-1.6.0rc1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
I was about to integrate the spec files but I am unable to resolve ftp.cataphract.com
can you provide an alternate location (or IP address?)
it must have been a problem at my side (my international connection) it works flawlessly now. thanks. -- Bazsi
Nah, my DSL has been flaky for the last week. My new T1 is getting installed tomorrow so after I convert to my new addresses everything should run fine again. Sorry for the problems. Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, April 10, 2003 4:38 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]New SPEC/CONF files
On Thu, Apr 10, 2003 at 10:22:00AM +0200, Balazs Scheidler wrote:
On Thu, Feb 27, 2003 at 09:30:02PM -0800, Richard E. Perlotto II wrote:
In an effort to help the documentation movement I have created yet more detailed *.spec (for RPM's) and syslog-ng.conf files for those that are interested. They can be found at:
ftp://ftp.cataphract.com/syslog/syslog-ng/syslog-ng/syslog-ng- 1.6.0r c1
Also contained with the directory are RPM files generated for Mandrake Linux, although they should work on other Red Hat variants as well.
I was about to integrate the spec files but I am unable to resolve ftp.cataphract.com
can you provide an alternate location (or IP address?)
it must have been a problem at my side (my international connection) it works flawlessly now. thanks. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hello Davind, David Mallwitz wrote:
Micha, Since you are using private IP addressing space, and you don't indicate that you have a DNS set up to resolve the xenia and kaliba names it may be better for you to try something like:
filter xenia { host("192.168.1.2"); };
sorry that i do not mention it. I am using djbdns as DNS Server. The filter statement "filter f_xenia { match("xenia"); };" should catch syslog messages like this: Feb 24 15:57:08 xenia EoChn: IN=ppp0 OUT= MAC= SRC=217.126.110.12 \ DST=217.227.156.180 LEN=46 TOS=0x00 PREC=0x00 TTL=115 ID=44191 \ PROTO=UDP SPT=1260 DPT=4665 LEN=26 It was not intend to catch the host primary. Just match the string xenia in the correspondig syslog message. Is (from this point of view) my filter statement right? Best regards, Micha Holzmann -- rm -rf; remote mail; real fast.
participants (6)
-
Achim Gsell
-
Balazs Scheidler
-
Blaise St-Laurent
-
David Mallwitz
-
Micha Holzmann
-
Richard E. Perlotto II