Thank you fo rthe reply Balazs. Can we use filter functions like this below ? filter f_solaris { host('uname == solaris') } My idea is to identify solaris servers. Thanks all, ~Vj On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

Thank you Evan, great idea! Can we achieve this with regex on syslog-ng.conf file on the server side? Thank you, ~Vj On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel@uvic.ca> wrote:

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com> bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

Thank you Evan. Right now, we add a solaris server everytime we spin one, its like this, filter f_solaris { host('x.x.x.x') or host('x.x.x.2') or host('x.x.x.3') or host('x.x.x.4') or host('hostname1) or (hostname2) } So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip. I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime. There is a similar config for linux hosts too Hope I am clear. Appreciate you taking your time out for this. ~Vj On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <erempel@uvic.ca> wrote:

The syslog server has to listen on the ipaddress:port combination. The solaris hosts need to syslog to the new ipaddress:port combination.

Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.

---- option #1 Using a completely different source. - you must fill in the IP addresses and port numbers

source s_regular_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); };

source s_solaris_syslog { tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

log { source(s_regular_syslog); destination(d_regular_destination); }; log { source(s_solaris_syslog); destination(d_solaris_syslog); };

---- option #2 Using a tagged source. - you must fill in the IP addresses and port numbers

source s_all_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

filter f_solaris { tags("solaris_syslog"); };

log { source(s_all_syslog) log { filter(f_solaris); destination(d_solaris_syslog); flags(final); }; log { destination(d_regular_destination); }; };

I hope that gives you the basics of what is needed.

On 10/29/2015 12:41 PM, vijay amruth wrote:

Thank you Evan, great idea! Can we achieve this with regex on syslog-ng.conf file on the server side?

Thank you, ~Vj

On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com> bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

Hello vijay, "Evan Rempel" <erempel@uvic.ca> írta 2015-10-29 17:54-kor:

Before I get too deep into how this is done, can I ask why you want to separate your logs for solaris and linux?

On 10/29/2015 01:06 PM, vijay amruth wrote:

...

Thank you Evan.

Right now, we add a solaris server everytime we spin one,

its like this,

filter f_solaris { host('x.x.x.x') or host('x.x.x.2') or host('x.x.x.3') or host('x.x.x.4') or host('hostname1) or (hostname2) }

So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip. I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime. There is a similar config for linux hosts too

Hope I am clear. Appreciate you taking your time out for this.

Yes. It was clear. In that case you know the solution. You can analyze the log messages, but you will not find anything usuful, which will give you a usable distinction between the client's OS type. So let's keep on the ground: using regex is a dead idea. The OS macro, what Róbert mentioned, is... They will need to upgrade all of your clients, change all of their configuration template, to send in this information into all of the log events. Which will enlarge all logmessage with this extra information. I think, it is not an easily maintanable idea. If that is an option, to modify all of your client, then I would use Evan's idea: listen on two or more different port. Let's say 1001, 1002, and 1003. Let 1001 substitute the "original" bad solution. Let 1002 be kept for the linux senders and let 1003 be kept for your solaris senders. You can tag the three different socket as it was already shown. And step by step you can deploy the new aproach to your clients: change linux clients to send their logs to port 1002 instead of 1001. change solaris clients to send their logs to port 1003 instead of 1001. And you can reach step by step an organized state, where all of your clients do this. Another Idea, if client setting is also a solution: You put manually this info into an sdata field, and later you do the filter based on this. This needs that, the logs should be transferred through the ietf syslog protocol instead of the legacy syslog protocol. I can not imagine a solution, why should linux and solaris clients have the same config. But if we assume this ridiculous idea, and the only distinction you have the IP address list, you still have an option to handle this situation well: If the receiving machine is a linuxbox, then you can create an iptables rule, and match for linux clients, and DNAT the logs, which would come to this imaginary 1001 port, and redirect them to port 1002. and do another dnat rule, which would match for solaris client and would redirect trafic which would come to port 1001 to reach port 1003. A simple example: iptables -t nat -I PREROUTING -s 1.2.3.4 -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002 A better solution, if you do not match the linux clients based on this kind of single IP address. Use an ipset match rule instead of this. In that case you need only two iptables rule, and some ipset maintenance. eg. the mentioned iptables rule would be this: iptables -t nat -I PREROUTIGN -m set --match-set linux src -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002 And the set creation: ipset create linux hash:ip ipset add linux 1.2.3.4 ipset add linux 1.2.3.5 ... Once you are done with that you can save the rules, and restore them on boot time. Saving: ipset save >/etc/myipset Restoring: ipset restore </etc/myipset Some thing, you need to care about: Do first the restore, and then to load the iptables rule! The iptables rule need the ipset to be already created. It does not matter if you did not load any entry into it. But it will not allow your iptables rule regarding a set, until the set not exists. I hope you have enough lego blocks in your hand now to solve the problem in an effective way! ;-) Kind regards, Gyu

Hi, Going out on a limb here Could this have something to do with the actual facility/priority bits in the syslog message? I recall that Solaris does it differently that (well, pretty much anyone actually) linux. If you look at the syslog.h file (/usr/inc/ude/sys/syslog.h in some systems) it shows the definition used by *that* system. This makes things a little wonky when the syslog server uses a different set of bits from the syslog client. At one point I did use something similar to re-map the name of syslog files on a linux server so that the facility.priority in the log file name matched the sending client. Or am I too far out here? Jim "Come in from the limb, there is no limb..." <Gru> On 11/01/2015 05:57 AM, Jakub Jankowski wrote:

On 30.10.2015 16:15, PÁSZTOR György wrote:

...

Hello vijay,

"Evan Rempel" <erempel@uvic.ca> írta 2015-10-29 17:54-kor:

...

Before I get too deep into how this is done, can I ask why you want to separate your logs for solaris and linux?

On 10/29/2015 01:06 PM, vijay amruth wrote:

...

Thank you Evan.

Right now, we add a solaris server everytime we spin one,

its like this,

filter f_solaris { host('x.x.x.x') or host('x.x.x.2') or host('x.x.x.3') or host('x.x.x.4') or host('hostname1) or (hostname2) }

So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip. I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime. There is a similar config for linux hosts too

Hope I am clear. Appreciate you taking your time out for this. [... snip ...]

I can not imagine a solution, why should linux and solaris clients have the same config. But if we assume this ridiculous idea, and the only distinction you have the IP address list, you still have an option to handle this situation well: If the receiving machine is a linuxbox, then you can create an iptables rule, and match for linux clients, and DNAT the logs, which would come to this imaginary 1001 port, and redirect them to port 1002. and do another dnat rule, which would match for solaris client and would redirect trafic which would come to port 1001 to reach port 1003. A simple example: iptables -t nat -I PREROUTING -s 1.2.3.4 -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002

A better solution, if you do not match the linux clients based on this kind of single IP address. Use an ipset match rule instead of this. In that case you need only two iptables rule, and some ipset maintenance. eg. the mentioned iptables rule would be this: iptables -t nat -I PREROUTIGN -m set --match-set linux src -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002

And the set creation: ipset create linux hash:ip ipset add linux 1.2.3.4 ipset add linux 1.2.3.5 ...

Once you are done with that you can save the rules, and restore them on boot time. Saving: ipset save >/etc/myipset Restoring: ipset restore </etc/myipset Some thing, you need to care about: Do first the restore, and then to load the iptables rule! The iptables rule need the ipset to be already created. It does not matter if you did not load any entry into it. But it will not allow your iptables rule regarding a set, until the set not exists. Well, how is this any better than specifying client's IP addresses/hostnames in syslog-ng.conf? I hope you have enough lego blocks in your hand now to solve the problem in an effective way! ;-)

Kind regards, Gyu

Let me suggest another idea: if Vijay has control over client's hostname, you could devise a simple host naming scheme, where you encode some metadata in client's hostname, for example: you could name all Solaris client's with a hostname that starts with "s", and all Linux clients with a hostname that starts with "l", then it's dead easy to match that in syslog-ng configuration. Downside is that it is painful to introduce. But you could use a mixed approach, where all the existing clients keep their hostnames (and you put them explicitly in the filter), and all the new ones get named with this naming scheme.

HTH

@Evan, Right now we are just adding the hosts manually to the syslog file if there is way by which I don't need to add the hosts manually to the file. ~Vijay On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <erempel@uvic.ca> wrote:

Before I get too deep into how this is done, can I ask why you want to separate your logs for solaris and linux?

On 10/29/2015 01:06 PM, vijay amruth wrote:

Thank you Evan.

Right now, we add a solaris server everytime we spin one,

its like this,

filter f_solaris { host('x.x.x.x') or host('x.x.x.2') or host('x.x.x.3') or host('x.x.x.4') or host('hostname1) or (hostname2) }

So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip. I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime. There is a similar config for linux hosts too

Hope I am clear. Appreciate you taking your time out for this.

~Vj

On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

The syslog server has to listen on the ipaddress:port combination. The solaris hosts need to syslog to the new ipaddress:port combination.

Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.

---- option #1 Using a completely different source. - you must fill in the IP addresses and port numbers

source s_regular_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); };

source s_solaris_syslog { tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

log { source(s_regular_syslog); destination(d_regular_destination); }; log { source(s_solaris_syslog); destination(d_solaris_syslog); };

---- option #2 Using a tagged source. - you must fill in the IP addresses and port numbers

source s_all_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

filter f_solaris { tags("solaris_syslog"); };

log { source(s_all_syslog) log { filter(f_solaris); destination(d_solaris_syslog); flags(final); }; log { destination(d_regular_destination); }; };

I hope that gives you the basics of what is needed.

On 10/29/2015 12:41 PM, vijay amruth wrote:

Thank you Evan, great idea! Can we achieve this with regex on syslog-ng.conf file on the server side?

Thank you, ~Vj

On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel < <erempel@uvic.ca> erempel@uvic.ca> wrote:

...

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com> bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" < <vijayamruth@gmail.com> vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng> https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: <http://www.balabit.com/wiki/syslog-ng-faq> http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng> https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

This body part will be downloaded on demand.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

Thank you Evan, I just recommended that option. I'll keep you posted. ~Vj On Mon, Nov 2, 2015 at 2:36 PM, Evan Rempel <erempel@uvic.ca> wrote:

If all of the solaris hosts log to a different port or IP address, then there is no need to place hosts into the syslog configuration file. Every log message sent to the special IP/port is assumed to be from a solaris host. Then you just store them into a destination of your choosing.

Evan.

On 11/02/2015 02:18 PM, vijay amruth wrote:

@Evan, Right now we are just adding the hosts manually to the syslog file if there is way by which I don't need to add the hosts manually to the file.

~Vijay

On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

Before I get too deep into how this is done, can I ask why you want to separate your logs for solaris and linux?

On 10/29/2015 01:06 PM, vijay amruth wrote:

Thank you Evan.

Right now, we add a solaris server everytime we spin one,

its like this,

filter f_solaris { host('x.x.x.x') or host('x.x.x.2') or host('x.x.x.3') or host('x.x.x.4') or host('hostname1) or (hostname2) }

So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip. I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime. There is a similar config for linux hosts too

Hope I am clear. Appreciate you taking your time out for this.

~Vj

On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel < <erempel@uvic.ca> erempel@uvic.ca> wrote:

...

The syslog server has to listen on the ipaddress:port combination. The solaris hosts need to syslog to the new ipaddress:port combination.

Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.

---- option #1 Using a completely different source. - you must fill in the IP addresses and port numbers

source s_regular_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); };

source s_solaris_syslog { tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

log { source(s_regular_syslog); destination(d_regular_destination); }; log { source(s_solaris_syslog); destination(d_solaris_syslog); };

---- option #2 Using a tagged source. - you must fill in the IP addresses and port numbers

source s_all_syslog { tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") ); tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") ); };

filter f_solaris { tags("solaris_syslog"); };

log { source(s_all_syslog) log { filter(f_solaris); destination(d_solaris_syslog); flags(final); }; log { destination(d_regular_destination); }; };

I hope that gives you the basics of what is needed.

On 10/29/2015 12:41 PM, vijay amruth wrote:

Thank you Evan, great idea! Can we achieve this with regex on syslog-ng.conf file on the server side?

Thank you, ~Vj

On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel < <erempel@uvic.ca> erempel@uvic.ca> wrote:

...

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com>bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" < <vijayamruth@gmail.com> vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng> https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: <http://www.balabit.com/wiki/syslog-ng-faq> http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng> https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: <http://www.balabit.com/wiki/syslog-ng-faq> http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng> https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

@Robert Fekete, awesome!!! How do we use that macro for operating system, any insights or examples will be helpful? Thank you, ~Vj On Thu, Oct 29, 2015 at 1:05 PM, Fekete, Róbert <robert.fekete@balabit.com> wrote:

Hi,

Having the operating system available as a macro came up earlier this week in a thread on serverfault, so it might make a useful feature.

Regards,

Robert

On Thu, Oct 29, 2015 at 8:25 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com> bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

Can you pls file an issue? Thanks. On Nov 1, 2015 9:05 PM, "Scheidler, Balázs" <balazs.scheidler@balabit.com> wrote:

Yup,I like this idea. We should really make this available as a macro, and send it via structured data. RFC5424 even has a field for this. On Oct 29, 2015 9:06 PM, "Fekete, Róbert" <robert.fekete@balabit.com> wrote:

...

Hi,

Having the operating system available as a macro came up earlier this week in a thread on serverfault, so it might make a useful feature.

Regards,

Robert

On Thu, Oct 29, 2015 at 8:25 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address. You could also use a different port. Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.

Just my $0.02

On 10/29/2015 12:22 PM, vijay amruth wrote:

Thank you fo rthe reply Balazs.

Can we use filter functions like this below ?

filter f_solaris { host('uname == solaris') }

My idea is to identify solaris servers.

Thanks all, ~Vj

On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler < <bazsi77@gmail.com> bazsi77@gmail.com> wrote:

...

Well, probably the only sensible way is to filter based on IP addresses. On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth@gmail.com> wrote:

...

Hello All,

We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?

Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Thank you Gyu! Thank you all, this is awesome, I should admit that this is my first time in DL/mailing list, I really like the ideas that you guys put out. This has opened other avenues for me. @Gyu/All, you guessed it right. Its not well planned here, the host name naming convention or classified ip isn't followed. I am looking at the port idea as Evan suggested. Evan, that is good one. Thank you. @Fabian, Can you throw some light on this, *We've been doing this for some time now using RFC5424 and custom SDATA using* *puppet and facter [1]Would it make sense to have a native facter integration for syslog-ng?* ~Vj On Mon, Nov 2, 2015 at 12:48 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi,

On Sun, Nov 01, 2015 at 09:05:06PM +0100, Scheidler, Balázs wrote:

...

Yup,I like this idea. We should really make this available as a macro, and send it via structured data. RFC5424 even has a field for this.

We've been doing this for some time now using RFC5424 and custom SDATA using puppet and facter [1]

Would it make sense to have a native facter integration for syslog-ng?

-- [1] https://gist.github.com/faxm0dem/8734fa29dc57eacc1ba2

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Thanks, Vijay Amrut.