[syslog-ng] Re: file issues

Brian Loe knobdy at gmail.com
Wed Sep 27 15:19:14 CEST 2006 

So they have to match all of the filters?

I want all of the messages from 4 or 5 devices to go to one log file.
I created a filter for each using the netmask filter. I then used
listed each of those filter commands in the log statement...

It seems that if I add multiple netmask() statements to a single
filter is doesn't work. If I had multiple filter() statements (with a
single device each) to a log statement it doesn't work...

The following is what my final config was before I decided to blow it
away and attack the issue at a much smaller scale (two log files, one
filter, etc. - which is why I now believe the above):

options {
       chain_hostnames (no);
       use_dns (no);
       use_fqdn (no);
       create_dirs (yes);
       keep_hostname (yes);
       owner(syslog);
       group(syslog);
       perm(0660);
       dir_owner(syslog);
       dir_group(syslog);
       dir_perm(0660);
       time_reap(300);
};

source s_cron { unix-dgram("/dev/cron"); internal(); };
source s_snmp { unix-dgram("/dev/snmp"); internal(); };
source s_sys { unix-dgram("/dev/log"); internal(); };
source s_udp { udp(ip("0.0.0.0") port(514)); };
source s_udp_s { udp(ip("0.0.0.0") port(601)); };
source s_tcp { tcp(ip("0.0.0.0") port(601)); };
source s_tcp1 { tcp(ip("0.0.0.0") port(1026)); };
source s_tcp2 { tcp(ip("0.0.0.0") port(5140)); };

destination d_cons { file("/data/logs/console.log"); };
destination d_mesg { file("/data/logs/syslog.log"); };
destination d_mail { file("/data/logs/mail.log"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };

destination allmessages {
file("/data/logs/$YEAR$MONTH$DAY.allmessages.log"); };
destination netmessages {
file("/data/logs/$YEAR$MONTH$DAY.netmessages.log"); };
destination d_vpn { file("/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log"); };
destination d_switch {
file("/data/logs/switch/$YEAR$MONTH$DAY.switch.log"); };
destination d_router {
file("/data/logs/router/$YEAR$MONTH$DAY.router.log"); };
destination d_pixen {
file("/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log"); };
destination d_ids { file("/data/logs/ids/$YEAR$MONTH$DAY.ids.log"); };

destination vpn_pipe { pipe("/data/pipes/vpn_pipe"); };
# destination net_pipe { pipe("/data/pipes/net_pipe"); };
destination fire_pipe { pipe("/data/pipes/fire_pipe"); };

filter f_filter1   {
       facility(mail) and level(debug);
};

filter f_filter2   {
       (facility(mail) and level(debug)) or level(info);
};

filter f_filter3   {
       level(alert);
};

filter f_filter4   {
       level(emerg);
};

filter f_vpn {
       netmask(1.1.1.5/255.255.255.255) and
netmask(1.1.1.6/255.255.255.255) and netmask(1.1.1.2/255.255.255.255);
};

filter f_fire {
       netmask(1.1.1.2/255.255.255.255) and
netmask(1.1.1.10/255.255.255.255) and netmask(1.1.1
.10/255.255.255.255) and netmask(1.1.1.212/255.255.255.255);
};

log {
       source(s_sys);
       filter(f_filter1);
       destination(d_mail);
};

log {
       source(s_sys);
       filter(f_filter2);
       destination(d_mesg);
};

log {
       source(s_sys);
       filter(f_filter3);
       destination(d_cons); destination(d_mlrt);
};

log {
       source(s_sys);
       filter(f_filter4);
       destination(d_mlal);
};

log {
       source(s_udp); source (s_udp_s); source (s_tcp); source
(s_tcp1); source (s_tcp2);
       filter(f_vpn);
       destination(vpn_pipe);
};

log {
       source(s_udp); source (s_udp_s); source (s_tcp); source
(s_tcp1); source (s_tcp2);
       filter (f_fire);
       destination(fire_pipe);
};

log {
       source(s_udp); source (s_udp_s); source (s_tcp); source
(s_tcp1); source (s_tcp2);
       filter(f_vpn);
       destination(d_vpn);
};

log {
       source(s_udp); source (s_udp_s); source (s_tcp); source
(s_tcp1); source (s_tcp2);
       filter (f_fire);
       destination(d_pixen);
};

log {
       source(s_sys); source(s_cron); source(s_snmp);
       destination (allmessages);
};

log {
       source(s_udp); source (s_udp_s); source (s_tcp); source
(s_tcp1); source (s_tcp2);
       destination(netmessages);
};

On 9/27/06, Sandor Geller <wildy at balabit.hu> wrote:
>
> It is syntactically correct. However, nobody can answer your question
> properly (you are using the filter named f_fire which wasn't in your
> previous posts, so I have to assume that you have modified your
> configuration).
>
> Without knowing your current configuration I can only answer like this:
> if a message comes from your any of the sources and matches all of the
> filters then it will be logged through the destinations.

More information about the syslog-ng mailing list