[syslog-ng]regex and priority(local7) question
Rule, Ted
syslog-ng@lists.balabit.hu
Tue, 2 Mar 2004 09:24:59 -0000
This config snippet works for me .... my PIXies are set to log via TCP1468 =
rather than UDP/514.
Real IP Addresses replaced with fakes. As with your situation, I have other=
network
gear running on local7 as well. Syslog-ng's wonderful filtration allows for=
a nice separation
of all the classes of switch/router/firewall/VPN-bricks.
Ted
......
source local {
unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
# UDP listeners for Internal syslog-ng interconnections
udp(ip(127.0.0.1) port(514));
udp(ip(1.2.3.4) port(514));
};
source pixtcp {
tcp(ip(1.2.3.4) port(1468)
max-connections(10) keep-alive(yes));
};
filter f_local7 { facility(local7) and level(debug..emerg); };
filter f_pixmsg { match("%PIX"); };
filter f_misclocal7 { filter(f_local7)
and not filter(f_pixmsg); };
destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
log { source(pixtcp);
filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
log { source(local); filter(f_misclocal7); destination(d_local7); };
......
> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu=20
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
> Sent: Monday 01 March 2004 17:11
> To: syslog-ng@lists.balabit.hu
> Subject: [syslog-ng]regex and priority(local7) question
>=20
>=20
> Good Morning,
> Im new to the list and have a couple questions.
>=20
> I have a PIX firewalls logging on local7.info, how can I=20
> match this=20
> correctly ? I also have switches logging on local7.info but I=20
> need this=20
> one pix removed and placed into its own destination.
>=20
> Where can i get a list of the regex syntax used in=20
> syslog-ng ? like=20
> perl / awk / grep etc.. .
>=20
> Here is what I currently have:
>=20
> ------ Snip -------
> ## Regex
> filter f_fw01 {
> host("x.x.x.x") and match("PIX");
> };
> filter f_fw02 {
> host("x.x.x.x") and match("PIX");
> };
> filter f_fw03 {
> host("x.x.x.x") and match("PIX");
> };
> filter f_fw04 {
> host("x.x.x.x") and match("PIX");
> };
>=20
> #!!! not working yet.. .
> filter f_pix{
> facility(local7) and match("%PIX*");
> };
> =20
> filter f_iss {
> match("issDaemon");
> };
> filter f_snmp {
> match("ucd-snmp");
> };
>=20
> ## everything else incoming
> filter f_local7 { facility(local7); };
>=20
>=20
> ----- snip ------
>=20
> TIA.
>=20
> ~!>D
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************