[syslog-ng]Filtering confusion.

Brian Leveille bleveille@defendnet.com
Fri, 8 Dec 2000 15:16:28 -0500


I have a config I need help with:

I have 2 Linux boxes running syslog-ng behind a Foundry ServerIron load
balancing switch, which provides both load sharing and redundancy.

The Foundry maintains it's server farm by both pings and actual syslog
messages.  It does this by sending garbage to the specified UDP port (514).
If it receives a 'Port Unavailable' message, the service must no longer be
running and the Foundry removes the server from the farm and redirects
traffic to available servers.  If it receives nothing, it assumes the
service must be running and the message was received successfully.

My problem is that my syslog-ng receives this message and processes it.  My
conf dictates that anything coming over udp 514 get written to a $HOST macro
and $DATE macro expanded filename.  So, I end up with a directory that
contains files with garbage messages from the Foundry switch.

How do I put a filter in to redirect these garbage test messages?
Preferably redirecting them to pipe("/dev/null").

My foundry is called ns-foundry1 in my DNS server and it's IP is  The config file below allows the Foundry garbage messages to
hit on the second log statement (log { source(src); destination(everything);
};), which is bad.

Thanks for your help...

Here is my config file:

options {

source foundry { udp(ip("") port(514)); };
source int { unix-stream("/dev/log"); internal(); };
source src { udp(port(514)); };

destination everything {

filter foundryfilt { host("ns-foundry1"); };

destination void { pipe("/dev/null"); };
destination internallogs { file("/var/log/messages"); };

log { source(foundry); filter(foundryfilt); destination(void); };
log { source(src); destination(everything); };
log { filter(DEFAULT); destination(internallogs); };

Brian Leveille
Senior Internetworking Engineer
DefendNet Solutions, Inc.