[syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
Fegan, Joe
Joe.Fegan at hp.com
Thu May 8 18:08:03 CEST 2008
Your config seems a bit odd and maybe overly complex. Here's how I read it, please let us know if this is how you intend it to work.
Your sources:
S_dgram = only messages from local processes that call syslog()
S_internal = only internal messages from syslog-ng on this node
S_kernel = only messages from the kernel on this node
S_tcp = only TCP messages from other nodes
S_udp = only UDP messages from other nodes
Your log paths tell syslog-ng to behave as:
log { source(S_udp); destination(D_db_mysql); };
All UDP messages from other nodes should be sent to mysql.
log { source(S_udp); destination(D_sec); };
All UDP messages from other nodes should be sent to D_sec.
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_auth); destination(D_authlog); flags(final); };
All messages matching F_auth and coming either from local syslog(), local syslog-ng internal or via TCP from other nodes (but not via UDP) should be sent to D_authlog. If you send a message down this path then don't bother evaluating any other paths.
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_local7); destination(D_bootlog); flags(final); };
All messages matching F_local7 and coming either from local syslog(), local syslog-ng internal or via TCP from other nodes (but not via UDP) should be sent to D_bootlog. If you send a message down this path then don't bother evaluating any other paths.
Then there's a bunch of other log paths in the same vein.
________________________________
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of wiskbroom at hotmail.com
Sent: 08 May 2008 15:13
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
Greetings;
My setup works well with one exception, my filtering rules contained in my syslog-ng.conf do not appear to work properly. My logs are not lost, instead they end up in a directory which I did not intend them to be in.
Background: I log to a MySql DB, flatfiles and finally, to SEC, which parses stuff and takes various actions (almost working ;-)
For ease of reading, I will simply add the contents of my config file which pertains to just one filter.
Many thanks in advance for taking the time to read and help me.
.vp
############
# OPTIONS #
############
options
{
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
use_dns (yes);
dns_cache(yes);
dns_cache_size(1000);
dns_cache_expire(604800);
keep_hostname(yes);
log_fifo_size(10000);
log_msg_size(8192);
long_hostnames(on);
perm(0644);
stats(3600);
sync(0);
time_reopen (10);
use_dns(yes);
use_fqdn(yes);
};
############
# SOURCES #
############
source S_dgram
{ unix-dgram("/dev/log"); };
source S_internal
{ internal(); };
source S_kernel
{ file("/proc/kmsg" log_prefix("kernel: ")); };
source S_tcp
{ tcp(port(4800) keep-alive(yes) max_connections(100)); };
source S_udp { udp(ip("0.0.0.0") port(514)); };
###############
# DEST SQL DB #
###############
destination D_db_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};
##############
# DESTINATIONS #
##############
destination D_authlog { file("/var/log/auth.log"); };
destination D_bootlog { file("/var/log/boot.log"); };
destination D_debug { file("/var/log/debug"); };
destination D_explan { file("/var/log/explanations"); };
destination D_messages { file("/var/log/messages"); };
destination D_secure { file("/var/log/secure"); };
destination D_spooler { file("/var/log/spooler"); };
destination D_syslog { file("/var/log/syslog"); };
destination D_user { file("/var/log/user.log"); };
destination D_switch { file("/var/log/MyHosts/Switches/$FULLHOST.log"
perm(0644)); };
destination D_edge { file("/var/log/MyHosts/EdgeDevices/$FULLHOST.log"
perm(0644)); };
destination D_firewall { file("/var/log/MyHosts/Firewalls/$FULLHOST.log"
owner(root) group(root) perm(0644) dir_perm(0700) create_dirs(yes)); };
destination D_router { file("/var/log/MyHosts/Routers/$FULLHOST.log"
perm(0644)); };
destination D_accesspoints { file("/var/log/MyHosts/AccessPoints/$FULLHOST.log"
perm(0644)); };
destination D_mailservers { file("/var/log/MyHosts/MailServers/$FULLHOST.log"
perm(0644)); };
###########
# FILTERS #
###########
filter F_auth { facility(auth, authpriv); };
filter F_authpriv { facility(authpriv); };
filter F_cron { facility(cron); };
filter F_daemon { facility(daemon); };
filter F_kern { facility(kern); };
filter F_local1 { facility(local1); };
filter F_local2 { facility(local2); };
filter F_local3 { facility(local3); };
filter F_local4 { facility(local4); };
filter F_local5 { facility(local5); };
filter F_local6 { facility(local6); };
filter F_local7 { facility(local7); };
filter F_lpr { facility(lpr); };
filter F_mail { facility(mail); };
filter F_messages { facility(daemon, kern, user); };
filter F_news { facility(news); };
filter F_spooler { facility(uucp,news) and level(crit); };
filter F_syslog { not facility(auth, authpriv) and not facility(mail); };
filter F_user { facility(user); };
filter F_crit { level(crit); };
filter F_debug { level(debug); };
filter F_emergency { level(emerg); };
filter F_err { level(err); };
filter F_info { level(info); };
filter F_notice { level(notice); };
filter F_warn { level(warn); };
filter F_edge { host("edge*") or host("122.21.*"); };
filter F_router { host("gw*") or host("rtr") or host("mmsc"); };
filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
filter F_firewall { host("^fw*") or host("^mlm*-*") or host("^cm*"); };
filter F_dc { host("^mydc*") or host("^dc*"); };
filter F_accesspoints { host("^melanie*"); };
filter F_mailservers { host("^mail*") or host("^smtpgw*"); };
filter F_proxies { host("^proxygw*"); };
filter F_InternetIP { host("161.17.10.*"); };
##############
# LOGS #
##############
log { source(S_udp); destination(D_db_mysql); };
# Send ALL logs to SEC
# log { source(S_dgram); source(S_internal); source(S_tcp); filter(F_auth); destination(D_sec); };
# log { source(S_udp); source(S_tcp); destination(D_sec); };
log { source(S_udp); destination(D_sec); };
###
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_auth); destination(D_authlog); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_local7); destination(D_bootlog); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_local1); destination(D_explan); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_local5); destination(D_router); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_messages); destination(D_messages); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_authpriv); destination(D_secure); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_spooler); destination(D_spooler); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_kernel);
source(S_tcp); filter(F_syslog); destination(D_syslog); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_tcp); filter(F_user); destination(D_user); flags(final); };
log { source(S_dgram);
source(S_internal);
source(S_kernel);
source(S_tcp); destination(D_hosts); flags(final); };
log { source(S_udp); filter(F_switch); destination(D_switch); flags(final); };
log { source(S_udp); filter(F_firewall); destination(D_firewall); flags(final); };
log { source(S_udp); filter(F_router); destination(D_router); flags(final); };
log { source(S_udp); filter(F_edge); destination(D_edge); flags(final); };
log { source(S_udp); filter(F_dc); destination(D_dc); flags(final); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); flags(final); };
log { source(S_udp); filter(F_proxies); destination(D_proxies); flags(final); };
log { source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final); };
log { source(S_udp); destination(D_udp);};
<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080508/e95dd25a/attachment-0001.htm
More information about the syslog-ng
mailing list