[syslog-ng] logic and duplicate suppression
Fekete Robert
frobert at balabit.hu
Thu Jul 29 10:34:26 CEST 2010
Hi John,
John Kristoff wrote:
> I have a couple of scenarios where I'm looking to enhance how I handle
> and process some logs. I'm looking for suggestions on what my options
> are, but maybe these are potential feature requests?
>
> 1. In using a parser (cvs or the patterndb), I'd like to use some
> conditionals based on a resultant macro value. So for example, if I
> have an sshd authentication log message with a source address in a
> macro and that address is contained w/in a specific prefix, I'd like to
> handle that message differently. Perhaps not log it all or set another
> MACRO to a certain value.
You can filter on the results of your message parsing and use embedded log
statements to handle messages differently based on the values of the parsers.
You need a filter that selects program(sshd), netmask(), and
tag(how-you-tag-sshd-auth-messages).
For embedded logpaths, see
http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/configuring_embedded_logpaths.html
and
http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/reference_filters.html
for the various filters.
HTH
Robert
>
> 2. I'd like to be able to suppress duplicate messages even if they are
> not necessarily contiguous at the destination. So for example, if I
> have a SSH client that generates a log of its SSH client protocol
> and software, I don't need to see that over and over again (e.g. as
> you might commonly see today in SSH brute force attacks).
>
AFAIK,
> John
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list