On 2014-08-25 15:39, Balint Kovacs wrote:

Hi,

just a guess, but as far as i can remember, the ASA-* part is usually in the program field, try the program() filter instead of message() in f_firewall.

Balint

On 2014. augusztus 25. 22:48:05 CEST, James Lay <jlay@slave-tothe-box.net> wrote:

...

Can anyone see anything blatantly wrong with this? The goal is to syslog as usual, but to forward firewall messages to a different server. Thanks for looking all.

James

@version:3.3.5 options { use_dns(no); flush_lines(0); stats_freq(43200); };

source s_local { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); file("/proc/kmsg"); };

destination d_file { file("/var/log/messages"); };

destination d_syslogserver { udp ("x.x.x.x", port(7514)); };

filter f_syslogfilter { not ( message("0x0004") or message("169.254.") or message("192.168.") ); };

filter f_firewall { message("ASA-4-71005")

or message("ASA-2-106100") };

log { source(s_local); filter(f_syslogfilter); destination(d_file); };

log { source(s_local); filter(f_firewall); destination(d_syslogserver); };

-------------------------

Ah thank you...I've just been testing using logger. I'll adjust and try this with program(). Thanks again. James