[syslog-ng] how rewrite the HOST macro?

Jim Hendrick jrhendri at maine.rr.com
Sun Aug 12 23:24:00 CEST 2007


Excuse me if you've already thought of this but, I assume your servers have
multiple NICs on separate networks. Why would the same server forward its
syslog messages to your central log server using different NICs? Wouldn't
normal routing force it to connect using one NIC all the time?

i.e. is this really a problem? Have you seen the same server use different
NICs to talk to your log server?

If you really are seeing this (and can't fix it at the source) I suppose you
could use a filter to look at the messages and define different destinations
for each server, using a regexp on the host to determine which to put where.

#  filter          Call another filter rule and 
#                  evaluate its value
#  host            host(regexp)                    Match messages by 
#                                                  using a regular 
#                                                  expression against 
#                                                  the hostname field 
#                                                  of log messages.

So if you had server names as you describe (e.g. server0xx, server1xx ...
servernxx)
you could define destinations and filters for each server like this (pardon
if the syntax is a bit off, I haven't tested this)

filter f_server0 { host (server0); };

filter f_server1 { host (server1); };

filter f_servern { host (servern); };

destination d_server0          {
file("/var/log/HOSTS/server0/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };

destination d_server1          {
file("/var/log/HOSTS/server1/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };

destination d_servern          {
file("/var/log/HOSTS/servern/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_
$DAY" 
			     owner(root) group(root) perm(0600)
dir_perm(0700) create_dirs(yes)); };


log { source(s_remote);
      filter (f_server0);
      destination (d_server0);
    };

log { source(s_remote);
      filter (f_server1);
      destination (d_server1);
    };

log { source(s_remote);
      filter (f_servern);
      destination (d_servern);
    };


Hope this helps.

Jim Hendrick
jrhendri at maine.rr.com
GCFW, GCIA, GCIH, GCWN, GCUX

> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu 
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of mobidyc
> Sent: Sunday, August 12, 2007 7:48 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] how rewrite the HOST macro?
> 
> 
> K K wrote:
> >
> > Why not just make sure that all of the servers have good 
> reverse DNS 
> > entries for the IP from which they would source syslog packets, and 
> > let  "keep_hostname(no); use_dns(yes);" populate $HOST with the DNS 
> > lookup results?
> >   
> because it's impossible to change the way the reverse
> dns are done.
> 
> the names server0e0 and server0e1 are here because
> there is multpile networks for the same machine, i can't
> ask the network team for change the way they use for
> a software i want to use.
> 
> i think i need to find another way for dispatch the messages
> in the good destinations, maybe dynamically create
> symlinks before the message pass through the log statment
> but i must be careful with the cpu consumption in this case.
> 
> Regards
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu 
> https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
> 
> Frequently asked questions at 
> http://www.campin.net/syslog-ng/faq.html
> 



More information about the syslog-ng mailing list