[syslog-ng]2 more question...please help

Keven Belanger kbelanger@logicon.ca
Tue, 27 Aug 2002 11:23:05 -0400


This is a multi-part message in MIME format.

------_=_NextPart_001_01C24DDD.A3CAB19B
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Okay! We have 2 problems;
=20
1- The hostname of the syslog receiver is SECU-Rcv1 and SECU-Rcv2
   So with a destinations like destination:   d_std  { =
file("/export/disk1/log/$HOST/$YEAR/$MONTH/messages.log"); };
   We receive the log in /export/disk1/log/SECU-Rcv2 on the local host =
why not the ip like other host ??
=20
2- We have 2 syslog collector and a big config file with each host =
(customer) defined line by line and a rule with unknown,
   the problem is that each host log correctly to the respective =
directory but they also log to my unknown directory, I want
   to be able to say, if no filter match, log to unknown...
  =20
   Thanx a lot!
=20
K=E9ven Belanger
Analyste en solutions de s=E9curit=E9
Logicon Inc. - Division S=E9curit=E9
819.825.8049 x7717
800.567.6399 x7717
=20

------_=_NextPart_001_01C24DDD.A3CAB19B
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C24DBC.1C228550">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;
	mso-font-charset:0;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:536871559 0 0 0 415 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:windowtext;}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
span.GramE
	{mso-style-name:"";
	mso-gram-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:216288176;
	mso-list-type:hybrid;
	mso-list-template-ids:1792179714 -927563080 202113049 202113051 =
202113039 202113049 202113051 202113039 202113049 202113051;}
@list l0:level1
	{mso-level-text:%1-;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1
	{mso-list-id:953946988;
	mso-list-type:hybrid;
	mso-list-template-ids:289711106 -412599050 202113049 202113051 =
202113039 202113049 202113051 202113039 202113049 202113051;}
@list l1:level1
	{mso-level-text:%1-;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l2
	{mso-list-id:1159493688;
	mso-list-type:hybrid;
	mso-list-template-ids:131621548 -1167064724 202113049 202113051 =
202113039 202113049 202113051 202113039 202113049 202113051;}
@list l2:level1
	{mso-level-text:%1-;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DFR-CA link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:35.4pt'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'>Okay! We have 2 =
problems;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><o:p>&nbsp;</o:p></span=
></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'>1- The hostname of the =
<span
class=3DSpellE>syslog</span> receiver is SECU-Rcv1 and =
SECU-Rcv2<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span>So with a destinations like
destination:<span style=3D'mso-spacerun:yes'>=A0=A0 </span><span =
class=3DSpellE>d_<span
class=3DGramE>std</span></span><span class=3DGramE><span =
style=3D'mso-spacerun:yes'>=A0
</span>{</span>
file(&quot;/export/disk1/log/$HOST/$YEAR/$MONTH/messages.log&quot;); =
};<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span>We receive the log in =
/export/disk1/log/SECU-Rcv2
on the local host why not the <span class=3DSpellE>ip</span> like other =
<span
class=3DGramE>host ??</span><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><o:p>&nbsp;</o:p></span=
></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'>2- We have 2 <span
class=3DSpellE>syslog</span> collector and a big <span =
class=3DSpellE>config</span>
file with each host (customer) defined line by line and a rule with =
unknown,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span><span class=3DGramE>the</span> =
problem is that
each host log correctly to the respective directory but they also log to =
my
unknown directory, I want<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span><span class=3DGramE>to</span> =
be able to say,
if no filter match, log to unknown...<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><span
style=3D'mso-spacerun:yes'>=A0=A0 </span><span =
class=3DSpellE>Thanx</span> a lot!<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial;mso-ansi-language:EN-US'><o:p>&nbsp;</o:p></span=
></font></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Verdana;mso-ansi-language:EN-US;mso=
-no-proof:
yes'>K=E9ven Belanger</span></font><span lang=3DEN-US =
style=3D'mso-ansi-language:
EN-US;mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana;mso-no-proof:yes'>Analyste en solutions de =
s=E9curit=E9<br>
Logicon Inc. - Division S=E9curit=E9<br>
</span></font><font size=3D2 face=3DVerdana><span lang=3DFR =
style=3D'font-size:10.0pt;
font-family:Verdana;mso-ansi-language:FR;mso-no-proof:yes'>819.825.8049 =
x7717</span></font><span
lang=3DFR =
style=3D'mso-ansi-language:FR;mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Verdana;mso-ansi-language:EN-US;mso=
-no-proof:
yes'>800.567.6399 x7717</span></font><span lang=3DEN-US =
style=3D'mso-ansi-language:
EN-US;mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C24DDD.A3CAB19B--