[syslog-ng] Separating Remote Logs

Thu Jan 7 19:27:57 CET 2010

It should be ".classifier.rule_id" not ".classifier_rule_id."

By the way, I find I need to use a rewrite template for Snare to
normalize the program.  I use:

rewrite r_snare {
  subst("MSWinEventLog.+(Security|Application|System).+", "$1",
value("PROGRAM") flags(global));
};

--Martin

On Thu, Jan 7, 2010 at 11:56 AM, Nate Hausrath
<hausrath.mailing.list at gmail.com> wrote:
> Hi everyone,
>
> I've set up a central log server using syslog-ng that receives logs from many different locations on the network.  I want to break these logs up into different files so I can using another program to parse and interpret each one individually.  So for example, I want my Windows logs to go to /var/log/remote/windows.log, which my ASA logs go to /var/log/remote/asa.log.  Anything that doesn't fit into a group should go to /var/log/remote/other.log.
>
> I'm trying to figure out the best way to do this.  I was going to create a custom xml file for the db-parser, but I can't seem to get it to work the way I want.  Here is my db-parser XML file so far:
>
> <?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='2' pub_date='2009-12-07'>
>        <ruleset name='capcxml' id='1923-ab2b'>
>                <pattern/>
>                <rules>
>                        <rule provider='capc' id='1' class='system'>
>                                <description>Detects ASA logs</description>
>                                <patterns>
>                                        <pattern>%ASA</pattern>
>                                </patterns>
>                        </rule>
>                        <rule provider='capc' id='2' class='system'>
>                                <description>Detects Windows logs from Snare</description>
>                                <patterns>
>                                        <pattern>MSWinEventLog</pattern>
>                                </patterns>
>                        </rule>
>                </rules>
>        </ruleset>
> </patterndb>
>
> So my question is, how can I specify a filter in my syslog-ng.conf file that will allow me to separate logs from these two different rules?  Along with that, how can I separate everything that doesn't match?
>
> For instance, I could have something like this:
>
> filter f_class_asa {
>        match("1"
>        value(".classifier_rule_id")
>        type("string")
>        );
> };
>
> filter f_class_windows {
>        match("2"
>        value(".classifier_rule_id")
>        type("string")
>        );
> };
>
> filter f_class_other {
>        not match("1" value(".classifier_rule_id") type("string"))
>        and not match("2" value(".classifier_rule_id") type("string"));
> };
>
> log {
>        source(s_remote);
>        parser(p_capc);
>        filter(f_class_asa);
>        destination(df_asa);
> };
>
> log {
>        source(s_remote);
>        parser(p_capc);
>        filter(f_class_windows);
>        destination(df_windows);
> };
>
> log {
>        source(s_remote);
>        parser(p_capc);
>        filter(f_class_other);
>        destination(df_other);
> };
>
> But this doesn't seem to work.  Everything gets placed in the df_asa file.
>
> Am I approaching this the wrong way?  Should I not use db-parser for this task?
>
> Thanks for any help!
> Nate
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>