Hello All I have syslog-ng 3.14 and I am trying to filter DNS logs. I have this working in a very old 2.0.9 version of syslog-ng. But it does not seem to want to work in the 3.14 environment. Can anyone help me out as I am pretty new to administering syslog-ng. Thanks ed Below is my code: ##New BlueCat config that doesn't work filter f_dhcpd { host(".*ddi-edns.*" flags(ignore-case)); and program("dhcpd"); }; destination d_dhcpd { file("/var/log2/gns-dmz/bluecat/${HOST}/dhcpd/log_${HOST}_dhcpd" perm(0640) group(splunk)); }; log { source(s_net); filter(f_dhcpd); destination(d_dhcpd); }; filter f_named { host(".*ddi-edns.*" flags(ignore-case)); and program("named"); }; destination d_named { file("/var/log2/gns-dmz/bluecat/${HOST}/named/log_${HOST}_named" perm(0640) group(splunk)); }; log { source(s_net); filter(f_named); destination(d_named); }; filter f_other { level(info, notice, warn, err, crit) and host(".*ddi-edns.*" flags(ignore-case)); and not program("dhcpd") and not program("named"); }; destination d_other { file("/var/log2/gns-dmz/bluecat/${HOST}/messages/log_${HOST}_messages" perm(0640) group(splunk)); }; log { source(s_net); filter(f_other); destination(d_other); }; ##Old BlueCat config that works #filter f_hsi-ddi-edns-1 { host("hsi-ddi-edns-1"); }; #filter f_ies-ddi-edns-1 { host("ies-ddi-edns-1"); }; #filter f_wv-ddi-edns-1 { host("wv-ddi-edns-1"); }; #destination d_hsi-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/hsi-ddi-edns-1/log_${HOST}"); }; #destination d_ies-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/ies-ddi-edns-1/log_${HOST}"); }; #destination d_wv-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/wv-ddi-edns-1/log_${HOST}"); }; #log { source(s_net); filter(f_hsi-ddi-edns-1); destination(d_hsi-ddi-edns-1); }; #log { source(s_net); filter(f_ies-ddi-edns-1); destination(d_ies-ddi-edns-1); }; #log { source(s_net); filter(f_wv-ddi-edns-1); destination(d_wv-ddi-edns-1); };
Hi, I have syslog-ng 3.14 and I am trying to filter DNS logs. I have this
working in a very old 2.0.9 version of syslog-ng. But it does not seem to want to work in the 3.14 environment. Can anyone help me out as I am pretty new to administering syslog-ng.
Could you elaborate, please? What do you mean by "not seem to want to work"? Does syslog-ng receive messages from s_net? You can verify it by starting syslog-ng in debug mode from the command line: $ sbin/syslog-ng -Fdev Please share the output of this command. If so, do your logs appear under /var/log2/gns-dmz/bluecat/? If not, something is wrong with your filters or with file permissions. I'm not familiar with syslog-ng 2.0, but I've tested your configuration with syslog-ng 3.16. Let me share my tips: 1. It might be possible that the /var/log2/gns-dmz/bluecat/ directory does not exist, so I added create-dirs(yes) to the configuration. 2. I assume that the hostname ".*ddi-edns.*" is part of the message received from s_net, so I added keep-hostname(yes) to the config. If my assumption is incorrect, you should set keep-hostname(no) and adjust use-dns() and use-fqdn() according to your needs. 3. Make sure s_net is configured correctly, for example, if you want to receive old BSD-style messages, use the network() driver, otherwise use the syslog() driver for framed IETF-syslog messages. For example: @version: 3.16 @include "scl.conf" options { create-dirs(yes); keep-hostname(yes); }; source s_net { network(port(4444)); }; // insert your previous config snippet here My test input was "<133>Feb 24 14:04:04 test.ddi-edns.test dhcpd message". -- László Várady
participants (2)
-
László Várady
-
Rose, Ed