[syslog-ng] syslog-ng- filter() problem

Fri Aug 5 22:41:41 CEST 2005

HI,

 Am currently using Syslog-ng to collect snmptraps. 

My problem is that I amcurrently receiving traps from three different
networks and I have to filter them out.

I am receiving traps from 64.251.65.224/255.255.255.240

                                    66.163.79.0/255.255.255.128

                                    204.209.214.0/255.255.254.0

Where I want traps from 64.251.65.224/255.255.255.240 and
66.163.79.0/255.255.255.128 to be stored in one file 

While traps from 204.209.214.0/255.255.254.0 in another.

Currently this is what my syslog-ng.conf looks like

And I am receiving nothing :-(

I am very frustrated with this.

Please help.

Thank you.

options {

        long_hostnames(yes);

        keep_hostname(yes);

        use_fqdn(on);

        create_dirs(yes);

        owner(nmadmin);

        group(users);

        perm(0755);

        dir_owner(nmadmin);

        dir_group(users);

        dir_perm(0755);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src{unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

filter f_messages { not level(warn); };

log { source(src);  filter(f_messages); destination(messages); };

#for SNMPTRAP

destination ipbb_lab_traps {
file("/store/ipbb_lab/traps/$YEAR-$MONTH-$DAY"); };

destination ipbb_traps { file("/store/ipbb/traps/$YEAR-$MONTH-$DAY"); };

#filter snmptrap

filter f_testA { level(warn)and netmask(64.251.65.224/255.255.255.240); };

filter f_testB { level(warn)and netmask(66.163.79.0/255.255.255.128); };

log { source(src); filter(f_testA); destination(ipbb_traps); };

log { source(src); filter(f_testB); destination(ipbb_traps); };

filter f_test2 { level(warn)and netmask(204.209.214.0/255.255.254.0); };

log { source(src); filter (f_test2); destination(ipbb_lab_traps); };

Kelly Pow

IP Backbone Networks Intern

Shaw CableSystems G.P

Tel: 1.403.303.6387

kelly.pow at sjrb.ca <mailto:kelly.pow at sjrb.ca> 

  _____  

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Frans Stekelenburg
Sent: Wednesday, August 03, 2005 5:27 AM
To: Syslog-ng users' and developers' mailing list;
ebroo at healthydirections.com
Subject: RE: [syslog-ng] syslog-ng- filter() problem

try making another filter first with the three filters and 'or' statements.

Sounds like your config creates an and-and-and situation for you, leading in
nothing beeing logged.

I think I came across this situation on one of the helpful pages around
(google), but unfortunatly don't remember where, so I can't refer you to it.

regards,

frans

  _____  

From: Kelly Pow [mailto:kelly.pow at sjrb.ca] 
Sent: dinsdag 2 augustus 2005 18:55
To: Syslog-ng users' and developers' mailing list;
ebroo at healthydirections.com
Subject: RE: [syslog-ng] syslog-ng- filter() problem

Hi,

I am collecting traps and syslog data

Yes they are being sent to the right place.

Yes the destinations exist and the permissions are correct

I am running Gentoo

And syslog-ng version- 1.6.5-r2

The problem is: 

log { source(src); filter(f_snmptrap); filter(f_ipbb1); filter (f_ipbb2);
destination(ipbb_traps); };

if I only have : 

log { source(src); filter(f_snmptrap); destination(ipbb_traps); };

or 

log { source(src); filter(f_ipbb1); destination(ipbb_traps); };

but when I add more filters it give me nothing

Why?

Kelly Pow

IP Backbone Networks Intern

Shaw CableSystems G.P

Tel: 1.403.303.6387

kelly.pow at sjrb.ca <mailto:kelly.pow at sjrb.ca> 

  _____  

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Edward Brookhouse
Sent: Friday, July 29, 2005 5:08 AM
To: 'Syslog-ng users' and developers' mailing list'
Subject: RE: [syslog-ng] syslog-ng- filter() problem

Are you collecting traps or syslog data ? 

Tcpdump is your friend  - are the syslog speakers speaking to the right
place ?

Is anything else being logged on the box from other sources?

Does the destination exist and permissions correct 

What os ? Which versions of syslog-ng  

  _____  

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Kelly Pow
Sent: Thursday, July 28, 2005 5:55 PM
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] syslog-ng- filter() problem

Hi,

I am trying to collect traps from these two networks.
66.163.79.0/255.255.255.128 and 64.251.65.224/255.255.255.240

I don't understand why when I do this it doesn't collect anything

Any ideas/.??

----------------------------------------------------------------------------
---------------------------

source src{unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

filter f_messages { not level(warn); };

log { source(src);  filter(f_messages); destination(messages); };

#filter snmptrap

filter f_snmptrap { level(warn); };

#testing filters for the different networks

filter f_ipbb1 {netmask("66.163.79.0/255.255.255.128"); };

filter f_ipbb2 {netmask("64.251.65.224/255.255.255.240"); };

destination ipbb_traps { file("/store/ipbb/traps/$YEAR-$MONTH-$DAY"); };

log { source(src); filter(f_snmptrap); filter(f_ipbb1); filter (f_ipbb2);
destination(ipbb_traps); };

----------------------------------------------------------------------------
-------------------------------

Kelly Pow

IP Backbone Networks Intern

Shaw CableSystems G.P

Tel: 1.403.303.6387

kelly.pow at sjrb.ca <mailto:kelly.pow at sjrb.ca> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050805/23bad2a9/attachment.html