RE: [syslog-ng]syslog-ng and regex
To match a program name you use the program function in the filter. filter f_antivir { program("antivir"); }; Regards, Drew -----Original Message----- From: Micha Holzmann [mailto:holzmann@mhnet.de] Sent: Monday, February 24, 2003 12:42 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]syslog-ng and regex Hello, i am very new at syslog-ng and at its list. I am running two Debian GNU/Linux boxes. One as a DSL Router and the other as my workstation. Today i have installed syslog-ng via apt-get (1.5.15-1.1). I tried to setup remote logging. I want my router/firewall logging additional to my workstation. On the router i have the following entries in syslog-ng.conf Hostname of router = xenia
--- cut here ---- destination loghost {udp("192.168.1.1" port(514));}; log { source(src); destination(loghost); }; --- cut here ----
Hostname of workstation = kaliba On my workstation i have in syslog-ng.conf:
--- cut here ---- destination rlogging { file("/var/log/syslog-ng/$HOST/syslog.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); };
filter f_xenia { match("xenia"); }; log { source(src); filter(f_xenia); destination(rlogging); };
--- cut here ----
I am not sure if this setup is correct. May you can give me some advices. If it is necessary to have my configs, please tell me, i will post them afterwards. Now i have a seceond question, on my workstation runs a cron job which looks for new antivir definition file or new program version (binary file). I tried to put the syslog entries in a separate file. Can i use regex in the match()? May like this: match("antivir\[[0-9]+\]") to catch antivir[19129]
--- cut here ---- destination antivir { file("/var/log/antivir.log"); }; filter f_antivir { match("kaliba antivir"); }; log { source(src); filter(f_antivir); destination(antivir); }; --- cut here ----
But the logfile entries does not arrive in /var/log/antivir.log. Did i anything wrong? Best regards, Micha Holzmann -- My software never has bugs. It just develops random features.
Hello Andrew, Hamilton, Andrew wrote:
To match a program name you use the program function in the filter.
filter f_antivir { program("antivir"); };
The corresponding syslog messages are:
--- cut here ---- Feb 24 14:00:02 kaliba antivir[1718]: AntiVir is up-to-date Feb 24 15:00:11 kaliba antivir[2451]: AntiVir is up-to-date Feb 24 16:00:02 kaliba antivir[2662]: AntiVir is up-to-date Feb 24 17:02:49 kaliba antivir[2979]: reloaded AntiVir mail scanner successfully Feb 24 17:02:49 kaliba antivir[2979]: AntiVir successfully updated itself (antivir.vdf) --- cut here ----
The filter statement "filter f_antivir { program("antivir"); };" catch syslog messages like these above? Best regards, Micha Holzmann -- UNIX is user friendly, it's just picky about who its friends are
participants (2)
-
Hamilton, Andrew
-
Micha Holzmann