[syslog-ng] Separating Remote Logs

Nate Hausrath hausrath.mailing.list at gmail.com
Thu Jan 7 18:56:05 CET 2010 

Hi everyone,

I've set up a central log server using syslog-ng that receives logs from many different locations on the network.  I want to break these logs up into different files so I can using another program to parse and interpret each one individually.  So for example, I want my Windows logs to go to /var/log/remote/windows.log, which my ASA logs go to /var/log/remote/asa.log.  Anything that doesn't fit into a group should go to /var/log/remote/other.log.

I'm trying to figure out the best way to do this.  I was going to create a custom xml file for the db-parser, but I can't seem to get it to work the way I want.  Here is my db-parser XML file so far:

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='2' pub_date='2009-12-07'>
	<ruleset name='capcxml' id='1923-ab2b'>
		<pattern/>
		<rules>
			<rule provider='capc' id='1' class='system'>
				<description>Detects ASA logs</description>
				<patterns>
					<pattern>%ASA</pattern>
				</patterns>
			</rule>
			<rule provider='capc' id='2' class='system'>
				<description>Detects Windows logs from Snare</description>
				<patterns>
					<pattern>MSWinEventLog</pattern>
				</patterns>
			</rule>
		</rules>
	</ruleset>
</patterndb>

So my question is, how can I specify a filter in my syslog-ng.conf file that will allow me to separate logs from these two different rules?  Along with that, how can I separate everything that doesn't match?

For instance, I could have something like this:

filter f_class_asa {
	match("1"
	value(".classifier_rule_id")
	type("string")
	);
};

filter f_class_windows {
	match("2"
	value(".classifier_rule_id")
	type("string")
	);
};

filter f_class_other {
	not match("1" value(".classifier_rule_id") type("string"))
	and not match("2" value(".classifier_rule_id") type("string"));
};

log {
	source(s_remote);
	parser(p_capc);
	filter(f_class_asa);
	destination(df_asa);
};

log {
	source(s_remote);
	parser(p_capc);
	filter(f_class_windows);
	destination(df_windows);
};

log {
	source(s_remote);
	parser(p_capc);
	filter(f_class_other);
	destination(df_other);
};

But this doesn't seem to work.  Everything gets placed in the df_asa file.  

Am I approaching this the wrong way?  Should I not use db-parser for this task?

Thanks for any help!
Nate

More information about the syslog-ng mailing list