[syslog-ng] logic and duplicate suppression
John Kristoff
jtk at cymru.com
Wed Jul 28 17:04:46 CEST 2010
I have a couple of scenarios where I'm looking to enhance how I handle
and process some logs. I'm looking for suggestions on what my options
are, but maybe these are potential feature requests?
1. In using a parser (cvs or the patterndb), I'd like to use some
conditionals based on a resultant macro value. So for example, if I
have an sshd authentication log message with a source address in a
macro and that address is contained w/in a specific prefix, I'd like to
handle that message differently. Perhaps not log it all or set another
MACRO to a certain value.
2. I'd like to be able to suppress duplicate messages even if they are
not necessarily contiguous at the destination. So for example, if I
have a SSH client that generates a log of its SSH client protocol
and software, I don't need to see that over and over again (e.g. as
you might commonly see today in SSH brute force attacks).
John
More information about the syslog-ng
mailing list