[syslog-ng]regex and priority(local7) question
Rule, Ted
syslog-ng@lists.balabit.hu
Wed, 3 Mar 2004 14:39:27 -0000
all levels
> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu=20
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
> Sent: Wednesday 03 March 2004 14:38
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]regex and priority(local7) question=20
>=20
>=20
> I do have one quick question on the
>=20
> filter f_local7 { facility(local7) and level(debug..emerg); };
>=20
> does this mean it is grabbing all level between debug -=20
> emerg, or just those 2 ?
>=20
> thanks again.
>=20
> ~!>D
>=20
>=20
>=20
>=20
> This config snippet works for me .... my PIXies are set to=20
> log via TCP1468
> rather than UDP/514.
> Real IP Addresses replaced with fakes. As with your=20
> situation, I have other
> network
> gear running on local7 as well. Syslog-ng's wonderful=20
> filtration allows for
> a nice separation
> of all the classes of switch/router/firewall/VPN-bricks.
>=20
>=20
> Ted
>=20
> ......
> source local {
> unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
>=20
> # UDP listeners for Internal syslog-ng interconnections
> udp(ip(127.0.0.1) port(514));
> udp(ip(1.2.3.4) port(514));
>=20
> };
>=20
> source pixtcp {
> tcp(ip(1.2.3.4) port(1468)
> max-connections(10) keep-alive(yes));
> };
>=20
> filter f_local7 { facility(local7) and level(debug..emerg); };
> filter f_pixmsg { match("%PIX"); };
> filter f_misclocal7 { filter(f_local7)
> and not filter(f_pixmsg); };
>=20
> destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
> destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
>=20
> log { source(pixtcp);
> filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
> log { source(local); filter(f_misclocal7); destination(d_local7); };
>=20
> ......
>=20
>=20
>=20
> >> -----Original Message-----
> >> From: syslog-ng-admin@lists.balabit.hu
> >> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
> >> Sent: Monday 01 March 2004 17:11
> >> To: syslog-ng@lists.balabit.hu
> >> Subject: [syslog-ng]regex and priority(local7) question
> >>
> >>
> >> Good Morning,
> >> Im new to the list and have a couple questions.
> >>
> >> I have a PIX firewalls logging on local7.info, how can I
> >> match this
> >> correctly ? I also have switches logging on local7.info but I
> >> need this
> >> one pix removed and placed into its own destination.
> >>
> >> Where can i get a list of the regex syntax used in
> >> syslog-ng ? like
> >> perl / awk / grep etc.. .
> >>
> >> Here is what I currently have:
> >>
> >> ------ Snip -------
> >> ## Regex
> >> filter f_fw01 {
> >> host("x.x.x.x") and match("PIX");
> >> };
> >> filter f_fw02 {
> >> host("x.x.x.x") and match("PIX");
> >> };
> >> filter f_fw03 {
> >> host("x.x.x.x") and match("PIX");
> >> };
> >> filter f_fw04 {
> >> host("x.x.x.x") and match("PIX");
> >> };
> >>
> >> #!!! not working yet.. .
> >> filter f_pix{
> >> facility(local7) and match("%PIX*");
> >> };
> >>
> >> filter f_iss {
> >> match("issDaemon");
> >> };
> >> filter f_snmp {
> >> match("ucd-snmp");
> >> };
> >>
> >> ## everything else incoming
> >> filter f_local7 { facility(local7); };
> >>
> >>
> >> ----- snip ------
> >>
> >> TIA.
> >>
> >> ~!>D
> >> _______________________________________________
> >> syslog-ng maillist - syslog-ng@lists.balabit.hu
> >> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Frequently asked questions at=20
> http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> > =20
> >
>=20
>=20
>=20
> **************************************************************
> **********************************
>=20
> This E-mail message, including any attachments, is intended=20
> only for the
> person
> or entity to which it is addressed, and may contain confidential
> information.
> If you are not the intended recipient, any review, retransmission,
> disclosure,
> copying, modification or other use of this E-mail message or=20
> attachments is
> strictly forbidden.
> If you have received this E-mail message in error, please contact the
> author and
> delete the message and any attachments from your computer.
> You are also advised that the views and opinions expressed in=20
> this E-mail
> message and any attachments are the author's own, and may not=20
> reflect the
> views
> and opinions of FLEXTECH Television Limited.
> **************************************************************
> **********************************
>=20
>=20
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************