[syslog-ng] Newbie Looking for Help
Brian Candler
B.Candler at pobox.com
Sat May 13 12:55:42 CEST 2006
On Fri, May 12, 2006 at 07:04:26PM -0400, Mark R. White wrote:
> Thanks for all the help I've received so far. Although, I'm still not able
> to do what I need to do. Right now, I just want to log one specific device
> to a specific log file. One email I received said I should use the netmask
> filter option, although for some reason, my system doesn't like that option.
What version? I know that netmask() existed in 1.6.9, and current is 1.6.11.
Perhaps you should start with a very tiny config file, like this:
------------------------------------------------------------------
source s_sys {
udp( ip( 0.0.0.0 ) );
tcp( ip( 0.0.0.0 ) );
};
destination d_pix {
file( "/var/log/pix.log" );
};
filter f_pix {
netmask( "10.10.10.4" );
};
log {
source(s_sys);
filter(f_pix);
destination(d_pix);
}
------------------------------------------------------------------
If that still doesn't log anything, then run tcpdump on this host to prove
that syslog packets *are* actually arriving, and the source address really
is 10.10.10.4 (e.g. the PIX might be sending them with a loopback address as
its source). Try:
tcpdump -i eth0 -n -s1500 -v udp port 514
Note: if your machine has multiple IP addresses, then you can bind syslog-ng
to a single one by changing 0.0.0.0 in the config above to that address.
That allows you to run a traditional syslogd and syslog-ng simultaneously on
the same machine, listing on different IP interfaces.
HTH,
Brian.
More information about the syslog-ng
mailing list