Re: [syslog-ng] sylog-ng filters not working
@version: 3.2 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # https://www.balabit.com/support/documentation # @include "scl.conf" options { flush_lines (0); time_reopen (10); log_fifo_size (2048); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (no); stats_freq(86400); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; ### MYAPP Dev Logs ### ## DEVENV ## source src_devenv { udp(ip(0.0.0.0) port(514)); }; filter f_devenv_01ui { netmask(10.22.206.0/24); }; filter f_devenv_02gw { netmask(10.22.207.0/24); }; filter f_devenv_03api { netmask(10.22.208.0/24); }; filter f_devenv_04net { netmask( "10.22.209.0/24" ); }; filter f_devenv_05bat { netmask(10.22.210.0/24); }; destination d_devenv_01ui { file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_02gw { file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_03api { file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_04net { file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); }; destination d_devenv_05bat { file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); }; log { source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); }; log { source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); }; log { source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); }; log { source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); }; ## MYAPP ALL ## source src_MYAPP { udp(ip(0.0.0.0) port(514)); }; destination d_MYAPP { file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_MYAPP); destination(d_MYAPP); }; #source external { tcp(); }; #source external { udp(); }; #destination d_hosts { file("/home/syslog/$HOST/application.log" owner("syslog") group("syslog") perm(0600)); }; destination d_mesg { file("/var/log/messages"); }; #destination d_cons { file("/dev/console"); }; #destination d_auth { file("/var/log/secure"); }; #destination d_mail { file("/var/log/maillog" flush_lines(10)); }; #destination d_spol { file("/var/log/spooler"); }; #destination d_boot { file("/var/log/boot.log"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_kern { file("/var/log/kern"); }; #destination d_mlal { usertty("*"); }; #destination d_all { file("/var/log/splunk"); }; log { source(s_sys); destination(d_mesg); }; #log { source(external); destination(d_hosts); }; From: Christian Turner Sent: Wednesday, August 3, 2016 11:53 AM To: 'syslog-ng@lists.balabit.hu' <syslog-ng@lists.balabit.hu> Subject: RE: sylog-ng filters not working Hi, I have the following filter configured; source src_devenv01 { udp(ip(0.0.0.0) port(514)); }; filter f_devenv01_04net { netmask(10.22.209.0/24); }; destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); }; log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); }; However, the filter does not work, and the logs from this source all go to the generic logging destination. I perform an strace and I can see that the IP appears as expected, so I'm figuring I have a syntax error somewhere; [pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("10.22.209.10")}, [16]) = 265 Christian Turner
Hello Christian, I just noticed that you seem to be using two network sources configured to use the same IP and port settings. You should move the src_MYAPP source to a different port, because the two are conflicting. Furthermore, you could try removing the quotes from the f_devenv_04net stanza. (Although I don't expect any significant changes in syslog-ng's behavior because of this.) Which is the generic destination you were referring to earlier? Is it perhaps d_MYAPP? (Or another one?) Regards, János 2016-08-03 19:50 GMT+02:00 Christian Turner <cturner@highroads.com>:
@version: 3.2
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# https://www.balabit.com/support/documentation
#
@include "scl.conf"
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (2048);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (no);
stats_freq(86400);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};
### MYAPP Dev Logs ###
## DEVENV ##
source src_devenv { udp(ip(0.0.0.0) port(514)); };
filter f_devenv_01ui { netmask(10.22.206.0/24); };
filter f_devenv_02gw { netmask(10.22.207.0/24); };
filter f_devenv_03api { netmask(10.22.208.0/24); };
filter f_devenv_04net { netmask( "10.22.209.0/24" ); };
filter f_devenv_05bat { netmask(10.22.210.0/24); };
destination d_devenv_01ui { file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_02gw { file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_03api { file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_04net { file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_05bat { file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); };
log { source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); };
log { source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); };
log { source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
log { source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); };
## MYAPP ALL ##
source src_MYAPP { udp(ip(0.0.0.0) port(514)); };
destination d_MYAPP { file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_MYAPP); destination(d_MYAPP); };
#source external { tcp(); };
#source external { udp(); };
#destination d_hosts { file("/home/syslog/$HOST/application.log" owner("syslog") group("syslog") perm(0600)); };
destination d_mesg { file("/var/log/messages"); };
#destination d_cons { file("/dev/console"); };
#destination d_auth { file("/var/log/secure"); };
#destination d_mail { file("/var/log/maillog" flush_lines(10)); };
#destination d_spol { file("/var/log/spooler"); };
#destination d_boot { file("/var/log/boot.log"); };
#destination d_cron { file("/var/log/cron"); };
#destination d_kern { file("/var/log/kern"); };
#destination d_mlal { usertty("*"); };
#destination d_all { file("/var/log/splunk"); };
log { source(s_sys); destination(d_mesg); };
#log { source(external); destination(d_hosts); };
*From:* Christian Turner *Sent:* Wednesday, August 3, 2016 11:53 AM *To:* 'syslog-ng@lists.balabit.hu' <syslog-ng@lists.balabit.hu> *Subject:* RE: sylog-ng filters not working
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I’m figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
*Christian Turner*
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> E-mail: jszigetvari@gmail.com Phone: +36209440412 (Hungary) __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
participants (2)
-
Christian Turner
-
SZIGETVÁRI János