[syslog-ng] netmask() filter

Wed Jul 13 22:07:22 CEST 2005

I'm trying to use the netmask filter to create a separate logfile for
all of our network devices (Cisco gear) logging to our central
syslog-ng log sink.    The interfaces doing the syslogging are all on
specific subnets, so I'd like to filter on subnet rather than by
hosts.    Lo, and behold, syslog-ng has a netmask() filter.    It
doesn't appear to work, though, since none of the variations I've
tried have managed to log anything near the correct data to the
destination.    I either get nothing or everything.

For one thing, it'd be nice to see the documentation updated to
specify whether to use cidr or dot notation (/24 v.s. 255.255.255.0). 
  Using cidr notation resulted in no apparent filtering.   Using dot
notation caused nothing to land in the file.

Is anybody else using this successfully that can share a working
example?   Am I missing something silly?

syslog-ng version 1.6.8, libol 0.3.16 on RHEL 3 U4

Thanks,
-Al Tobey

options {
          sync (20);
          time_reopen (10);
          log_fifo_size (1000);
          log_msg_size(8192);
          long_hostnames (off);
          use_dns (yes);
          use_fqdn (no);
          use_time_recvd (no);
          create_dirs (no);
          keep_hostname (yes);
          dns_cache (yes);
          dns_cache_expire (6000);
          dns_cache_expire_failed (6000);
          dns_cache_size (128);
};

source s_sys {
        pipe ("/proc/kmsg" log_prefix("kernel: "));
        unix-stream("/dev/log");
        internal();
};
source s_net {
        udp();
        tcp();
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/syslog/syslog.log" perm(0644)); };
destination d_warn { file("/var/log/syslog/syslog.warn" perm(0644)); };
destination d_mail { file("/var/log/syslog/mail.log" perm(0644)); };
destination d_auth { file("/var/log/syslog/auth.log"perm(0644)); };
destination d_netteam { file("/var/log/network-devices.log" perm(0644)); };
destination d_local { file("/var/log/messages" perm(0644)); };
destination logsurfer {
   program("/bin/su -s /bin/ksh syslogd -c '/usr/local/bin/logsurfer
-c /usr/local/etc/logsurfer.conf -d /var/tmp/logsurfer.dump -'");
};

filter f_console { facility(kern); };
filter f_auth    { facility(authpriv); };
filter f_mail    { facility(mail); };
filter f_warn    { level(warn..emerg) and not
        ( program("sshd") and
                match("we do not read, but chan_read_failed for istate 8") )
        and not
        ( program("sshd") and
                match("Read from socket failed: Connection reset by peer") );
};

########################################
filter f_netteam {
        netmask( "10.50.191.0/255.255.255.0" );
};
########################################

# console messages on localhost
log { source(s_sys); filter(f_console); destination(d_cons); };
# /var/log/messages
log {
    source(s_sys);
    destination(d_local);
};

# /var/log/syslog/syslog.log
log {
        source(s_sys);
        source(s_net);
        destination(d_mesg); 
};

# /var/log/netowrk-devices.log
log {
        source(s_net);
        filter(f_netteam);
        destination(d_netteam);
};

# /var/log/syslog/auth.log
log {
        source(s_sys); source(s_net);
        filter(f_auth);
        destination(d_auth); 
};

# /var/log/syslog/mail.log
log {
    source(s_sys); source(s_net);
    filter(f_mail);
    destination(d_mail);
};

# /var/log/syslog/syslog.warn
log {
        source(s_sys); source(s_net);
        filter(f_warn);
        destination(d_warn);
};