[syslog-ng]regex and priority(local7) question
cdowns
syslog-ng@lists.balabit.hu
Wed, 03 Mar 2004 08:37:36 -0600
I do have one quick question on the
filter f_local7 { facility(local7) and level(debug..emerg); };
does this mean it is grabbing all level between debug - emerg, or just those 2 ?
thanks again.
~!>D
This config snippet works for me .... my PIXies are set to log via TCP1468
rather than UDP/514.
Real IP Addresses replaced with fakes. As with your situation, I have other
network
gear running on local7 as well. Syslog-ng's wonderful filtration allows for
a nice separation
of all the classes of switch/router/firewall/VPN-bricks.
Ted
......
source local {
unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
# UDP listeners for Internal syslog-ng interconnections
udp(ip(127.0.0.1) port(514));
udp(ip(1.2.3.4) port(514));
};
source pixtcp {
tcp(ip(1.2.3.4) port(1468)
max-connections(10) keep-alive(yes));
};
filter f_local7 { facility(local7) and level(debug..emerg); };
filter f_pixmsg { match("%PIX"); };
filter f_misclocal7 { filter(f_local7)
and not filter(f_pixmsg); };
destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
log { source(pixtcp);
filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
log { source(local); filter(f_misclocal7); destination(d_local7); };
......
>> -----Original Message-----
>> From: syslog-ng-admin@lists.balabit.hu
>> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
>> Sent: Monday 01 March 2004 17:11
>> To: syslog-ng@lists.balabit.hu
>> Subject: [syslog-ng]regex and priority(local7) question
>>
>>
>> Good Morning,
>> Im new to the list and have a couple questions.
>>
>> I have a PIX firewalls logging on local7.info, how can I
>> match this
>> correctly ? I also have switches logging on local7.info but I
>> need this
>> one pix removed and placed into its own destination.
>>
>> Where can i get a list of the regex syntax used in
>> syslog-ng ? like
>> perl / awk / grep etc.. .
>>
>> Here is what I currently have:
>>
>> ------ Snip -------
>> ## Regex
>> filter f_fw01 {
>> host("x.x.x.x") and match("PIX");
>> };
>> filter f_fw02 {
>> host("x.x.x.x") and match("PIX");
>> };
>> filter f_fw03 {
>> host("x.x.x.x") and match("PIX");
>> };
>> filter f_fw04 {
>> host("x.x.x.x") and match("PIX");
>> };
>>
>> #!!! not working yet.. .
>> filter f_pix{
>> facility(local7) and match("%PIX*");
>> };
>>
>> filter f_iss {
>> match("issDaemon");
>> };
>> filter f_snmp {
>> match("ucd-snmp");
>> };
>>
>> ## everything else incoming
>> filter f_local7 { facility(local7); };
>>
>>
>> ----- snip ------
>>
>> TIA.
>>
>> ~!>D
>> _______________________________________________
>> syslog-ng maillist - syslog-ng@lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
************************************************************************************************
This E-mail message, including any attachments, is intended only for the
person
or entity to which it is addressed, and may contain confidential
information.
If you are not the intended recipient, any review, retransmission,
disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the
author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the
views
and opinions of FLEXTECH Television Limited.
************************************************************************************************
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html