Forcing remote syslog request from 1 IP into 1 log file
Hello, I have a syslog server setup which works quite well for most of the hosts: destination d_net_debug { file("/var/log/$HOST/debug"); }; destination d_net_error { file("/var/log/$HOST/error"); }; This way I dont have to define every host which logs there but they will be autocreated. I have a quite misbehaving Asus router device however which keep sending strings like: FTP WAN(11) WAN(8) WAN(3) as host therefore syslog-ng interpret these messages like it would be coming from different $HOSTs and keep creating directories for them. 2018-07-22T20:45:59+02:00 WAN Connection: Wan link down. 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down. 2018-07-22T20:45:59+02:00 WAN Connection: Wan link down. 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down. How do I force all the logs into one logfile for this one specific host? If possible I don't want to change my current rules just extend them. Thank you.
Hi, On Fri, Jul 27, 2018 at 11:55:42AM +0200, freebsd@tango.lu wrote:
How do I force all the logs into one logfile for this one specific host? If possible I don't want to change my current rules just extend them.
You could use the SOURCEIP macro or the netmask filter. There are multiple ways to achieve what you ask, many depending on the syslog-ng version you use and on your config. The most compatible way to do it is probably using a separate log path: log { source(s_syslog); filter { netmask(10.0.0.1/32) }; destination(d_net_some_host); flags(final); }; Notice the "final" flag which makes sure the message won't make it to other log paths.
Hi, What would an example message look like? 2018-07-24T16:12:20+02:00 WAN(11) Connection: Wan link down. What kind of source driver do you use in your configuration? I have one idea only: - don't use HOST field, but HOST_FROM if the separate messages are coming from different hosts and not from a relay. I see it is similar to Fabien's. Regards, Gabor On Fri, Jul 27, 2018 at 1:03 PM Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Fri, Jul 27, 2018 at 11:55:42AM +0200, freebsd@tango.lu wrote:
How do I force all the logs into one logfile for this one specific host? If possible I don't want to change my current rules just extend them.
You could use the SOURCEIP macro or the netmask filter. There are multiple ways to achieve what you ask, many depending on the syslog-ng version you use and on your config. The most compatible way to do it is probably using a separate log path:
log { source(s_syslog); filter { netmask(10.0.0.1/32) }; destination(d_net_some_host); flags(final); };
Notice the "final" flag which makes sure the message won't make it to other log paths.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Try HOST_FROM instead of HOST Possibly also try no-parse Jim On Fri, Jul 27, 2018, 5:55 AM <freebsd@tango.lu> wrote:
Hello,
I have a syslog server setup which works quite well for most of the hosts:
destination d_net_debug { file("/var/log/$HOST/debug"); };
destination d_net_error { file("/var/log/$HOST/error"); };
This way I dont have to define every host which logs there but they will be autocreated.
I have a quite misbehaving Asus router device however which keep sending strings like:
FTP WAN(11) WAN(8) WAN(3)
as host therefore syslog-ng interpret these messages like it would be coming from different $HOSTs and keep creating directories for them.
2018-07-22T20:45:59+02:00 WAN Connection: Wan link down. 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down. 2018-07-22T20:45:59+02:00 WAN Connection: Wan link down. 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down.
How do I force all the logs into one logfile for this one specific host? If possible I don't want to change my current rules just extend them.
Thank you.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Fabien Wernli
-
freebsd@tango.lu
-
Jim Hendrick
-
Nagy, Gábor