[syslog-ng] Ip filtering

Chris Bland chris at fdu.edu
Thu Feb 12 21:33:03 CET 2009


Hi guys,

I am having a problem filtering based on ip address.  My predecessor had 
a config file with over 240 hosts.  I just upgraded to 2.0.10-1 and 
starting getting YACC overflow stack errors.  I condensed the config 
file by using regex.  If I stop using DNS everything works fine.
What I am trying to do is filter based on ip address and have each log 
stored in a directory with the servers dns name.
My config looks like this

options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (off);
    keep_hostname (yes);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
};

destination servers { 
file("/var/log/syslog-ng/hosts/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
                        owner(root) group(staff) perm(0650) 
dir_perm(0750) create_dirs(yes)); };

destination teaneck { 
file("/var/log/syslog-ng/network/TEANECK/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY" 

                        owner(root) group(staff) perm(0650) 
dir_perm(0750) create_dirs(yes)); };

destination dslswitches { 
file("/var/log/syslog-ng/network/TEANECK/Dslswitches/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
                        owner(root) group(staff) perm(0650) 
dir_perm(0750) create_dirs(yes)); };

filter          f_teaneck               { netmask("132.238.11.0/24"); };
filter         f_usas          { host("132.238.(7|8).*$"); };
filter          f_dslswitches               { host("132.238.21.40"); };

log { source(s_network);        filter(f_usas);        
destination(servers); };
log { source(s_network);        filter(f_teaneck);              
destination(teaneck); };
log { source(s_network);        filter(f_dslswitches);          
destination(dslswitches); };


The netmask filters work by my host filters don't

-Chris


More information about the syslog-ng mailing list