Try reading http://www.balabit.com/products/syslog_ng/reference/logpath.html You can use a log statement with the fallback flag to achieve what you need. i.e. source ext { tcp(port(514) max-connections(1024)); udp(port(514));}; ...your destination statements... destination unmatched { file("/var/log/unmatched");}; ...your log statements... log { source(ext);destination(unmatched);flags(fallback);}; The last log statements will log all 'unmatched by a previous rule' to the file /var/log/unmatched. Hope it helps. Amodiovalerio [Hypo] Verde ---------- Initial Header ----------- From : syslog-ng-admin@lists.balabit.hu To : syslog-ng@lists.balabit.hu Cc : Date : Mon, 23 Feb 2004 14:27:52 +0100 Subject : [syslog-ng]Logging not matched to filters
Hi
I have a lot of filters and they log fine.
I was wounding if it possible to make a logging that matches the rest, that isn't caught in a filter. So that if syslog-ng receives a log and it doesn't match any of the filters, it will log it into a file.
That way i don't miss a logging from a device, it would simple be in this separate file.
- Henning _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi I have the following syslog Feb 24 08:01:04 10.1.76.35 28: Feb 24 08:01:03.674 CET: %SYS-5-CONFIG_I: Configured from console by xxxxxx on vty0 (10.16.254.42) filter f_switches { netmask(10.16.65.0/24); }; But the filter f_switches matches it, why is that ? The only place I can see that it could mask is in the 'vty0 (10.16.254.42)' but I thought that the netmask was suppose to match in the hostname field and not the message I looked at http://www.balabit.com/products/syslog_ng/reference/x567.html but there the netmask filter isn't described. - Henning
ups ... there was a typo the filter is filter f_switches { netmask(10.16.254.0/24); }; - Henning "Henning Markussen" <hem@dmdata.dk> Sent by: syslog-ng-admin@lists.balabit.hu 24-02-2004 08:24 Please respond to syslog-ng To: syslog-ng@lists.balabit.hu cc: Subject: [syslog-ng]filter netmask Hi I have the following syslog Feb 24 08:01:04 10.1.76.35 28: Feb 24 08:01:03.674 CET: %SYS-5-CONFIG_I: Configured from console by xxxxxx on vty0 (10.16.254.42) filter f_switches { netmask(10.16.65.0/24); }; But the filter f_switches matches it, why is that ? The only place I can see that it could mask is in the 'vty0 (10.16.254.42)' but I thought that the netmask was suppose to match in the hostname field and not the message I looked at http://www.balabit.com/products/syslog_ng/reference/x567.html but there the netmask filter isn't described. - Henning _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
2004-02-24, k keltezéssel 08:30-kor Henning Markussen ezt írta:
ups ... there was a typo
the filter is
filter f_switches { netmask(10.16.254.0/24); };
the netmask filter matches the source address of the incoming UDP packet. not the hostname part, you can use the host() macro for that. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Amodiovalerio Verde
-
Balazs Scheidler
-
Henning Markussen