[syslog-ng]regex and priority(local7) question
cdowns
syslog-ng@lists.balabit.hu
Tue, 02 Mar 2004 07:36:21 -0600
Ted,
Thank you for the reply, Ill give this a try.
Sincerely,
Christopher M Downs
Rule, Ted wrote:
>This config snippet works for me .... my PIXies are set to log via TCP1468 rather than UDP/514.
>Real IP Addresses replaced with fakes. As with your situation, I have other network
>gear running on local7 as well. Syslog-ng's wonderful filtration allows for a nice separation
>of all the classes of switch/router/firewall/VPN-bricks.
>
>
>Ted
>
>......
>source local {
> unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
>
> # UDP listeners for Internal syslog-ng interconnections
> udp(ip(127.0.0.1) port(514));
> udp(ip(1.2.3.4) port(514));
>
>};
>
>source pixtcp {
> tcp(ip(1.2.3.4) port(1468)
> max-connections(10) keep-alive(yes));
>};
>
>filter f_local7 { facility(local7) and level(debug..emerg); };
>filter f_pixmsg { match("%PIX"); };
>filter f_misclocal7 { filter(f_local7)
> and not filter(f_pixmsg); };
>
>destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
>destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
>
>log { source(pixtcp);
> filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
>log { source(local); filter(f_misclocal7); destination(d_local7); };
>
>......
>
>
>
>
>>-----Original Message-----
>>From: syslog-ng-admin@lists.balabit.hu
>>[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
>>Sent: Monday 01 March 2004 17:11
>>To: syslog-ng@lists.balabit.hu
>>Subject: [syslog-ng]regex and priority(local7) question
>>
>>
>>Good Morning,
>> Im new to the list and have a couple questions.
>>
>> I have a PIX firewalls logging on local7.info, how can I
>>match this
>>correctly ? I also have switches logging on local7.info but I
>>need this
>>one pix removed and placed into its own destination.
>>
>> Where can i get a list of the regex syntax used in
>>syslog-ng ? like
>>perl / awk / grep etc.. .
>>
>> Here is what I currently have:
>>
>>------ Snip -------
>> ## Regex
>>filter f_fw01 {
>> host("x.x.x.x") and match("PIX");
>>};
>>filter f_fw02 {
>> host("x.x.x.x") and match("PIX");
>>};
>>filter f_fw03 {
>> host("x.x.x.x") and match("PIX");
>>};
>>filter f_fw04 {
>> host("x.x.x.x") and match("PIX");
>>};
>>
>>#!!! not working yet.. .
>>filter f_pix{
>> facility(local7) and match("%PIX*");
>>};
>>
>>filter f_iss {
>> match("issDaemon");
>>};
>>filter f_snmp {
>> match("ucd-snmp");
>>};
>>
>>## everything else incoming
>>filter f_local7 { facility(local7); };
>>
>>
>>----- snip ------
>>
>>TIA.
>>
>>~!>D
>>_______________________________________________
>>syslog-ng maillist - syslog-ng@lists.balabit.hu
>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
>
>
>************************************************************************************************
>This E-mail message, including any attachments, is intended only for the person
>or entity to which it is addressed, and may contain confidential information.
>If you are not the intended recipient, any review, retransmission, disclosure,
>copying, modification or other use of this E-mail message or attachments is
>strictly forbidden.
>If you have received this E-mail message in error, please contact the author and
>delete the message and any attachments from your computer.
>You are also advised that the views and opinions expressed in this E-mail
>message and any attachments are the author's own, and may not reflect the views
>and opinions of FLEXTECH Television Limited.
>************************************************************************************************
>
>_______________________________________________
>syslog-ng maillist - syslog-ng@lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
>