[syslog-ng] Need help with filtering messages - new user with syslog-ng
Cosmin Neagu
cosmin.neagu at omnilogic.ro
Mon Aug 29 11:12:29 CEST 2011
Hello,
First of all, i started to use syslog-ng on Ubuntu a few days ago and it
seams a great syslog server.
But today i stumble on a problem.
I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that
snmptrapd will send the trap received to syslog-ng.
Now, syslog-ng puts those traps by default in /var/log/syslog because of
this default configurations:
source s_src { unix-dgram("/dev/log"); internal();
file("/proc/kmsg" program_override("kernel"));
destination d_syslog { file("/var/log/syslog"); };
filter f_syslog3 { not facility(auth, authpriv, mail) and not
filter(f_debug); };
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
What i want to acomplish is to have traps from diferent host put in
diferent files, not all together in the same file like it happens now.
At first i tried to filter based on the host's ip address that was
sending the trap, but i realized that the snmptrapd process is the one
that sends the trap to syslog-ng process, not the device directly:
Aug 29 11:42:48 Dell *snmptrapd*[3801]: 2011-08-29 11:42:43 10.90.0.252
[UDP: [10.90.0.252]:49364->[192.168.53.151]]:
iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days, 22:33:09.74
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1
iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK"
iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4
iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN"
iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0,
changed state to down"
iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180 days,
22:33:09.74
So maibe you have done this - how can i filter based on the program that
it sending the message (like snmptrapd). And also, can filters based on
the text itself can be used? Like:
- if the mesage contains "10.90.0.252 [UDP:
[10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this" file
- if the mesage contains "10.90.1.22 [UDP:
[10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that" file
Thanks
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110829/45bc4f92/attachment.htm
More information about the syslog-ng
mailing list