Spock, Is my logic sound ?
I'm still getting stuff on nmsloghost that I think should be filtered out. Do my comments match the conf file ? *# Source UDP/TCP syslog port 514. * source s_net { udp(ip(0.0.0.0) port(514) so_rcvbuf(262142)); tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(262142) log_iw_size(25000) ); }; *# Remove messages from 2 network segments * filter f_network {not netmask("192.168.238.0/24") and not netmask(" 192.168.239.0/24") ; }; *# Remove messages matching EITHER expression* filter f_audit { not match("Audit" value("MESSAGE")) and not match("Detailed Tracking" value("MESSAGE")); }; *# Remove messages matching "The scan found detections" expression* filter f_mcafee { not match("The scan found detections." value("MESSAGE")); }; *# Destination rule suppress any duplicates in a 10 second window. *destination d_remote {udp ("nmsloghost" suppress(10)); }; *# Log from s_net and filter out all matches from f_* log udp to nmsloghost. * *# There is no function to "filter( not f_network);" * log { source(s_net); filter(f_network); filter(f_audit); filter(f_mcafee); destination (d_remote);
Hi, "Scot" <scotrn@gmail.com> írta 2016-02-16 09:22-kor:
I'm still getting stuff on nmsloghost that I think should be filtered out.
Can you show us an example, which is forwarded to nmsloghost, but should be filtered out? A simple .pcap file, or "grep" or anything would be nice. Cheers, Gyu
Not easily without sending some sensitive data. I take it the rule set logic seems correct then ? This filter will remove data from both/either subnet from a message stream, filter f_network {not netmask("192.168.238.0/24") and not netmask(" 192.168.239.0/24") ; }; These rules work in the same concatenation way ? filter(f_network); filter(f_audit); filter(f_mcafee); destination (d_remote); On Tue, Feb 16, 2016 at 9:28 AM, PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Scot" <scotrn@gmail.com> írta 2016-02-16 09:22-kor:
I'm still getting stuff on nmsloghost that I think should be filtered out.
Can you show us an example, which is forwarded to nmsloghost, but should be filtered out? A simple .pcap file, or "grep" or anything would be nice.
Cheers, Gyu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Feb 16, 2016 5:16 PM, "Scot" <scotrn@gmail.com> wrote:
Not easily without sending some sensitive data.
I take it the rule set logic seems correct then ?
This filter will remove data from both/either subnet from a message
stream,
filter f_network {not netmask("192.168.238.0/24") and not netmask(" 192.168.239.0/24") ; };
Yup
These rules work in the same concatenation way ? filter(f_network); filter(f_audit); filter(f_mcafee); destination
(d_remote); Filters are ANDed together. So all filters must match.
On Tue, Feb 16, 2016 at 9:28 AM, PÁSZTOR György <
pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Scot" <scotrn@gmail.com> írta 2016-02-16 09:22-kor:
I'm still getting stuff on nmsloghost that I think should be filtered
out.
Can you show us an example, which is forwarded to nmsloghost, but should be filtered out? A simple .pcap file, or "grep" or anything would be nice.
Cheers, Gyu
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
PÁSZTOR György
-
Scheidler, Balázs
-
Scot