[syslog-ng] syslog-ng and netfilter() problem

Kelly Pow kelly.pow at sjrb.ca
Tue Jul 26 19:03:23 CEST 2005 

Hi, .

I am trying to use syslog-ng to collect syslogs from routers, but I would
like the logs from the same network to be logged in one file 

IE:        all logs from 66.163.79.0/25 and 64.251.65.224/28 --> to be
stored in /ipbb

All logs from 204.209.214.0/23 --> to be stored in /ipbb_lab


How can I do this using syslog-ng?

How do I log IP addresses of the same network into the same file?

 

There is a filter in syslog-ng called netmask() --it checks the sender's IP
address to see whether it is in the specified IP subnet

Syntax: netmask(ip/mask) 

 

So I created a filter see below:

filter f_ipbb { netmask("66.163.79.0/25"); };

 

So my logic on this was 

If the syslog is from an IP address in this network/subnet then it should
get logged to where I specified it to....

 

Unfortunately:

As seen below I got syslogs from the following IP addresses:

root at K3 store # ls

64.251.65.229    66.163.79.2  66.163.79.37  66.163.79.42  

 

But the file only logged one syslog : 

root at K3 test # cat syslogs/2005-07-25

Jul 25 13:37:52 66.163.79.2/66.163.79.2 34118: Jul 25 13:38:15.053 MDT:
%BGP-4-MAXPFX: No. of prefix received from 206.223.116.11 (afi 0) reaches
5893, max 7000

 

Do you have any idea why?

 

As seen below, I have tried:

filter f_test { netmask("66.163.79.0/255.255.255.128"); }; <-- gives no
results

filter f_ipbb { netmask("66.163.79.0/25"); };<-- only give syslogs from
66.163.79.2 

 

Any thing that I might be doing wrong that I can't see?

Is there a bug with syslog-ng?

 

Thank you very much

Kelly :-) 

 

Below is my syslog-ng.conf file:

Syslog-ng/conf file:

********************************************************************

options {

        long_hostnames(yes);

        keep_hostname(yes);

        use_fqdn(on);

        create_dirs(yes);

        owner(nmadmin);

        group(users);

        perm(0755);

        dir_owner(nmadmin);

        dir_group(users);

        dir_perm(0755);

        sync(0);

 

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

 

 

source src{unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

filter f_messages { not level(warn); };

log { source(src);  filter(f_messages); destination(messages); };

 

#filter for ipbb

filter f_ipbb { netmask("66.163.79.0/25"); };

filter f_ipbb2 { netmask("64.251.65.224/28"); };

 

#test configuration for loggin cisco devices

source net { udp(); };

 

destination ipbb_lab_syslogs {
file("/store/ipbb_lab/syslogs/$YEAR-$MONTH-$DAY"); };

destination ipbb_syslogs { file("/store/test/syslogs/$YEAR-$MONTH-$DAY"); };

 

destination all { file("/store/$HOST"); };

 

log { source(net); destination(all); };

log { source(net); filter(f_ipbb); destination(ipbb_syslogs); };  <-- only
collects syslogs from 66.163.79.2

 

log { source(net); destination(ipbb_lab_syslogs); };

 

 

#testing for stripping

filter f_test { netmask("66.163.79.0/255.255.255.128"); };

destination d_test { file("/store/test1"); };  

log { source(src);filter(f_test); destination(d_test); }; <--Gives no
results

 

#for SNMPTRAP

 

destination ipbb_lab_traps {
file("/store/ipbb_lab/traps/$YEAR-$MONTH-$DAY"); };

destination ipbb_traps { file("/store/ipbb/traps/$YEAR-$MONTH-$DAY"); };

 

#filter snmptrap 

filter f_snmptrap { level(warn); };

 

log { source(src); filter (f_snmptrap); destination(ipbb_lab_traps); };  <--
In test Mode- Traps also needs to be filtered to be stored in their network
file

log { source(src); filter (f_snmptrap); filter(f_ipbb); filter(f_ipbb2);
destination(ipbb_traps); };

****************************************************************************
****************************************************************************
********************************

 

 

 

Kelly Pow

IP Backbone Networks Intern

Shaw CableSystems G.P

Tel: 1.403.303.6387

kelly.pow at sjrb.ca <mailto:kelly.pow at sjrb.ca> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050726/077e9fbd/attachment-0001.html

More information about the syslog-ng mailing list