[syslog-ng]regex and priority(local7) question
cdowns
syslog-ng@lists.balabit.hu
Wed, 03 Mar 2004 16:01:47 -0600
Awesome, works like a champ. I have to say this syslog-ng is the cats
a55 in logging applications.
Thanks again.
~!>D
--- snip ------
filter f_local7 {
facility(local7) and level(debug..emerg);
};
filter f_pixm {
match("PIX");
};
filter f_misclocal7 {
filter (f_local7) and not filter(f_pixm);
};
filter f_iss {
match("issDaemon");
};
filter f_snmp {
match("ucd-snmp");
};
## Custom Logs
log { source(net); filter(f_pixm); destination(pix); };
log { source(net); filter(f_misclocal7); destination(local7); };
log { source(net); filter(f_iss); destination(iss); };
log { source(net); filter(f_snmp); destination(snmp); };
Rule, Ted wrote:
>all levels
>
>
>
>>-----Original Message-----
>>From: syslog-ng-admin@lists.balabit.hu
>>[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
>>Sent: Wednesday 03 March 2004 14:38
>>To: syslog-ng@lists.balabit.hu
>>Subject: RE: [syslog-ng]regex and priority(local7) question
>>
>>
>>I do have one quick question on the
>>
>>filter f_local7 { facility(local7) and level(debug..emerg); };
>>
>>does this mean it is grabbing all level between debug -
>>emerg, or just those 2 ?
>>
>>thanks again.
>>
>>~!>D
>>
>>
>>
>>
>>This config snippet works for me .... my PIXies are set to
>>log via TCP1468
>>rather than UDP/514.
>>Real IP Addresses replaced with fakes. As with your
>>situation, I have other
>>network
>>gear running on local7 as well. Syslog-ng's wonderful
>>filtration allows for
>>a nice separation
>>of all the classes of switch/router/firewall/VPN-bricks.
>>
>>
>>Ted
>>
>>......
>>source local {
>> unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
>>
>> # UDP listeners for Internal syslog-ng interconnections
>> udp(ip(127.0.0.1) port(514));
>> udp(ip(1.2.3.4) port(514));
>>
>>};
>>
>>source pixtcp {
>> tcp(ip(1.2.3.4) port(1468)
>> max-connections(10) keep-alive(yes));
>>};
>>
>>filter f_local7 { facility(local7) and level(debug..emerg); };
>>filter f_pixmsg { match("%PIX"); };
>>filter f_misclocal7 { filter(f_local7)
>> and not filter(f_pixmsg); };
>>
>>destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
>>destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
>>
>>log { source(pixtcp);
>> filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
>>log { source(local); filter(f_misclocal7); destination(d_local7); };
>>
>>......
>>
>>
>>
>>
>>
>>>>-----Original Message-----
>>>>From: syslog-ng-admin@lists.balabit.hu
>>>>[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of cdowns
>>>>Sent: Monday 01 March 2004 17:11
>>>>To: syslog-ng@lists.balabit.hu
>>>>Subject: [syslog-ng]regex and priority(local7) question
>>>>
>>>>
>>>>Good Morning,
>>>> Im new to the list and have a couple questions.
>>>>
>>>> I have a PIX firewalls logging on local7.info, how can I
>>>>match this
>>>>correctly ? I also have switches logging on local7.info but I
>>>>need this
>>>>one pix removed and placed into its own destination.
>>>>
>>>> Where can i get a list of the regex syntax used in
>>>>syslog-ng ? like
>>>>perl / awk / grep etc.. .
>>>>
>>>> Here is what I currently have:
>>>>
>>>>------ Snip -------
>>>> ## Regex
>>>>filter f_fw01 {
>>>> host("x.x.x.x") and match("PIX");
>>>>};
>>>>filter f_fw02 {
>>>> host("x.x.x.x") and match("PIX");
>>>>};
>>>>filter f_fw03 {
>>>> host("x.x.x.x") and match("PIX");
>>>>};
>>>>filter f_fw04 {
>>>> host("x.x.x.x") and match("PIX");
>>>>};
>>>>
>>>>#!!! not working yet.. .
>>>>filter f_pix{
>>>> facility(local7) and match("%PIX*");
>>>>};
>>>>
>>>>filter f_iss {
>>>> match("issDaemon");
>>>>};
>>>>filter f_snmp {
>>>> match("ucd-snmp");
>>>>};
>>>>
>>>>## everything else incoming
>>>>filter f_local7 { facility(local7); };
>>>>
>>>>
>>>>----- snip ------
>>>>
>>>>TIA.
>>>>
>>>>~!>D
>>>>_______________________________________________
>>>>syslog-ng maillist - syslog-ng@lists.balabit.hu
>>>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>Frequently asked questions at
>>>>
>>>>
>>http://www.campin.net/syslog-ng/faq.html
>>
>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>**************************************************************
>>**********************************
>>
>>This E-mail message, including any attachments, is intended
>>only for the
>>person
>>or entity to which it is addressed, and may contain confidential
>>information.
>>If you are not the intended recipient, any review, retransmission,
>>disclosure,
>>copying, modification or other use of this E-mail message or
>>attachments is
>>strictly forbidden.
>>If you have received this E-mail message in error, please contact the
>>author and
>>delete the message and any attachments from your computer.
>>You are also advised that the views and opinions expressed in
>>this E-mail
>>message and any attachments are the author's own, and may not
>>reflect the
>>views
>>and opinions of FLEXTECH Television Limited.
>>**************************************************************
>>**********************************
>>
>>
>>_______________________________________________
>>syslog-ng maillist - syslog-ng@lists.balabit.hu
>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
>>
>>
>>
>>_______________________________________________
>>syslog-ng maillist - syslog-ng@lists.balabit.hu
>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
>
>
>************************************************************************************************
>This E-mail message, including any attachments, is intended only for the person
>or entity to which it is addressed, and may contain confidential information.
>If you are not the intended recipient, any review, retransmission, disclosure,
>copying, modification or other use of this E-mail message or attachments is
>strictly forbidden.
>If you have received this E-mail message in error, please contact the author and
>delete the message and any attachments from your computer.
>You are also advised that the views and opinions expressed in this E-mail
>message and any attachments are the author's own, and may not reflect the views
>and opinions of FLEXTECH Television Limited.
>************************************************************************************************
>
>_______________________________________________
>syslog-ng maillist - syslog-ng@lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
>