[syslog-ng] Ip filtering

Balazs Scheidler bazsi at balabit.hu
Sun Feb 15 09:18:34 CET 2009


On Thu, 2009-02-12 at 15:33 -0500, Chris Bland wrote:
> Hi guys,
> 
> I am having a problem filtering based on ip address.  My predecessor had 
> a config file with over 240 hosts.  I just upgraded to 2.0.10-1 and 
> starting getting YACC overflow stack errors. 

This was reported a couple of weeks ago, and the reason for stack
overflows seem to be using traditional "yacc" instead of bison. Try
recompiling syslog-ng with bison or search the archives for a yacc
specific solution, then these errors would be gone.

On the other hand it certainly is better to have a smaller configuration
file.

>  I condensed the config 
> file by using regex.  If I stop using DNS everything works fine.
> What I am trying to do is filter based on ip address and have each log 
> stored in a directory with the servers dns name.
> My config looks like this
> 
> options {
>     sync (0);
>     time_reopen (10);
>     log_fifo_size (1000);
>     long_hostnames (off);
>     keep_hostname (yes);
>     use_dns (yes);
>     use_fqdn (no);
>     create_dirs (no);
> };
> 
> destination servers { 
> file("/var/log/syslog-ng/hosts/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
>                         owner(root) group(staff) perm(0650) 
> dir_perm(0750) create_dirs(yes)); };
> 
> destination teaneck { 
> file("/var/log/syslog-ng/network/TEANECK/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY" 
> 
>                         owner(root) group(staff) perm(0650) 
> dir_perm(0750) create_dirs(yes)); };
> 
> destination dslswitches { 
> file("/var/log/syslog-ng/network/TEANECK/Dslswitches/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
>                         owner(root) group(staff) perm(0650) 
> dir_perm(0750) create_dirs(yes)); };
> 
> filter          f_teaneck               { netmask("132.238.11.0/24"); };
> filter         f_usas          { host("132.238.(7|8).*$"); };
> filter          f_dslswitches               { host("132.238.21.40"); };
> 
> log { source(s_network);        filter(f_usas);        
> destination(servers); };
> log { source(s_network);        filter(f_teaneck);              
> destination(teaneck); };
> log { source(s_network);        filter(f_dslswitches);          
> destination(dslswitches); };
> 
> 
> The netmask filters work by my host filters don't

Please note that the host() filter checks the hostname portion of the
syslog message and thus it may or may not have any connection with the
sender IP address. The hostname can also be changed by syslog-ng, but as
I see you have set keep_hostname() to yes, so the hostname will be the
name supplied by the original system, or if there was no name at all,
syslog-ng will generate one based on its IP address.

The netmask filter always checks the _sender_ IP address. If you have
relays it almost certainly will be different from the end system.

So to find out why your host() filter does not work, first you need to
check what your $HOST field contains. If it really is an IP address,
then you should check whether the regexp matches it.

-- 
Bazsi




More information about the syslog-ng mailing list