[syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended

wiskbroom at hotmail.com wiskbroom at hotmail.com
Thu May 8 16:12:45 CEST 2008 



Greetings;



My setup works well with one exception, my filtering rules contained in my
syslog-ng.conf do not appear to work properly.  My logs are not lost,
instead they end up in a directory which I did not intend them to be in. 

Background: I log to a MySql DB, flatfiles and finally, to SEC, which parses stuff and takes various actions (almost working ;-)

For ease of reading, I will simply add the contents of my config file which
pertains to just one filter.Many thanks in advance for taking the time to read and help me.

.vp



############

# OPTIONS  #

############



options

  {

    chain_hostnames(no);

    create_dirs (yes);

    dir_perm(0755);

    use_dns (yes);

    dns_cache(yes);

    dns_cache_size(1000);

    dns_cache_expire(604800);

    keep_hostname(yes);

    log_fifo_size(10000);

    log_msg_size(8192);

    long_hostnames(on);

    perm(0644);

    stats(3600);

    sync(0);

    time_reopen (10);

    use_dns(yes);

    use_fqdn(yes);

  };



############

# SOURCES       #

############



source S_dgram

  { unix-dgram("/dev/log"); };



source S_internal

  { internal(); };



source S_kernel

  { file("/proc/kmsg" log_prefix("kernel: ")); };



source S_tcp

  { tcp(port(4800) keep-alive(yes) max_connections(100)); };



source S_udp { udp(ip("0.0.0.0") port(514)); };



###############

# DEST SQL DB         #

###############



destination D_db_mysql {

        pipe("/var/log/mysql.pipe"

               
template("INSERT INTO logs

               
(host, facility, priority, level, tag, datetime, program, msg)

               
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC',

               
'$PROGRAM', '$MSG' );\n") template-escape(yes));

};



##############

# DESTINATIONS     #

##############



destination D_authlog       {
file("/var/log/auth.log"); };

destination D_bootlog       {
file("/var/log/boot.log"); };

destination D_debug         {
file("/var/log/debug"); };

destination D_explan        {
file("/var/log/explanations"); };

destination D_messages   {
file("/var/log/messages"); };

destination D_secure        {
file("/var/log/secure"); };

destination D_spooler       {
file("/var/log/spooler"); };

destination D_syslog        {
file("/var/log/syslog"); };

destination D_user          
{ file("/var/log/user.log"); };



destination D_switch       { file("/var/log/MyHosts/Switches/$FULLHOST.log"

                            
perm(0644)); };

destination D_edge         {
file("/var/log/MyHosts/EdgeDevices/$FULLHOST.log"

                            
perm(0644)); };

destination D_firewall     { file("/var/log/MyHosts/Firewalls/$FULLHOST.log"

               
owner(root) group(root) perm(0644) dir_perm(0700) create_dirs(yes)); };

destination D_router       { file("/var/log/MyHosts/Routers/$FULLHOST.log"

                            
perm(0644)); };

destination D_accesspoints { file("/var/log/MyHosts/AccessPoints/$FULLHOST.log"

                            
perm(0644)); };

destination D_mailservers  { file("/var/log/MyHosts/MailServers/$FULLHOST.log"

                            
perm(0644)); };



###########

# FILTERS        #

###########



filter     
F_auth         { facility(auth,
authpriv); };

filter      F_authpriv     {
facility(authpriv); };

filter     
F_cron         { facility(cron); };

filter     
F_daemon       { facility(daemon); };

filter     
F_kern         { facility(kern); };

filter     
F_local1       { facility(local1); };

filter     
F_local2       { facility(local2); };

filter     
F_local3       { facility(local3); };

filter     
F_local4       { facility(local4); };

filter     
F_local5       { facility(local5); };

filter     
F_local6       { facility(local6); };

filter     
F_local7       { facility(local7); };

filter     
F_lpr          { facility(lpr); };

filter     
F_mail         { facility(mail); };

filter      F_messages     {
facility(daemon, kern, user); };

filter     
F_news         { facility(news); };

filter      F_spooler      {
facility(uucp,news) and level(crit); };

filter     
F_syslog       { not facility(auth, authpriv) and
not facility(mail); };

filter     
F_user         { facility(user); };



filter     
F_crit         { level(crit); };

filter     
F_debug        { level(debug); };

filter      F_emergency    {
level(emerg); };

filter     
F_err          { level(err); };

filter     
F_info         { level(info); };

filter     
F_notice       { level(notice); };

filter     
F_warn         { level(warn); };



filter F_edge         {
host("edge*") or host("122.21.*"); };

filter F_router       { host("gw*") or
host("rtr") or host("mmsc"); };

filter F_switch       { host("sw*") or
host("sw1") or host("sw2"); };

filter F_firewall     { host("^fw*") or
host("^mlm*-*") or host("^cm*"); };

filter F_dc           {
host("^mydc*") or host("^dc*"); };

filter F_accesspoints { host("^melanie*"); };

filter F_mailservers  { host("^mail*") or host("^smtpgw*");
};

filter F_proxies      { host("^proxygw*");
};

filter F_InternetIP   { host("161.17.10.*"); };



##############

#   
LOGS               
#

##############



log { source(S_udp); destination(D_db_mysql); };



# Send ALL logs to SEC



# log { source(S_dgram); source(S_internal); source(S_tcp); filter(F_auth);
destination(D_sec); };



# log { source(S_udp); source(S_tcp); destination(D_sec); };



log { source(S_udp); destination(D_sec); };



###



log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_auth);      destination(D_authlog);
flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_local7);    destination(D_bootlog); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_local1);    destination(D_explan); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_local5);    destination(D_router); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_messages);  destination(D_messages); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_authpriv);  destination(D_secure); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_spooler);   destination(D_spooler); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_kernel);

      source(S_tcp);     
filter(F_syslog);    destination(D_syslog); flags(final); };

log { source(S_dgram);

      source(S_internal);

      source(S_tcp);     
filter(F_user);      destination(D_user);
flags(final); };



log { source(S_dgram);

      source(S_internal);

      source(S_kernel);

     
source(S_tcp);                          
destination(D_hosts); flags(final); };



log { source(S_udp); filter(F_switch); destination(D_switch); flags(final); };

log { source(S_udp); filter(F_firewall); destination(D_firewall); flags(final);
};

log { source(S_udp); filter(F_router); destination(D_router); flags(final); };

log { source(S_udp); filter(F_edge); destination(D_edge); flags(final); };

log { source(S_udp); filter(F_dc); destination(D_dc); flags(final); };

log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints);
flags(final); };

log { source(S_udp); filter(F_proxies); destination(D_proxies); flags(final);
};

log { source(S_udp); filter(F_mailservers); destination(D_mailservers);
flags(final); };



log { source(S_udp); destination(D_udp);};







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080508/38f86d0c/attachment.htm

More information about the syslog-ng mailing list