[syslog-ng] logic and duplicate suppression

Fekete Robert frobert at balabit.hu
Thu Jul 29 10:34:26 CEST 2010


Hi John,

John Kristoff wrote:

> I have a couple of scenarios where I'm looking to enhance how I handle
> and process some logs.  I'm looking for suggestions on what my options
> are, but maybe these are potential feature requests?
> 
> 1. In using a parser (cvs or the patterndb), I'd like to use some
> conditionals based on a resultant macro value.  So for example, if I
> have an sshd authentication log message with a source address in a
> macro and that address is contained w/in a specific prefix, I'd like to
> handle that message differently.  Perhaps not log it all or set another
> MACRO to a certain value.

You can filter on the results of your message parsing and use embedded log 
statements to handle messages differently based on the values of the parsers.
You need a filter that selects program(sshd), netmask(), and 
tag(how-you-tag-sshd-auth-messages).

For embedded logpaths, see 
http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/configuring_embedded_logpaths.html
and 
http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/reference_filters.html 
for the various filters.

HTH

Robert

> 
> 2. I'd like to be able to suppress duplicate messages even if they are
> not necessarily contiguous at the destination.  So for example, if I
> have a SSH client that generates a log of its SSH client protocol
> and software, I don't need to see that over and over again (e.g. as
> you might commonly see today in SSH brute force attacks).
> 

AFAIK,

> John
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 



More information about the syslog-ng mailing list