[syslog-ng] Log only one host

Jim jrhendri at maine.rr.com
Tue Dec 13 01:10:30 CET 2011 

Couple things to note:
- not all syslogs give a valid syslog header (e.g. <date> <time> <host>
<program>:<message>)
- name resolution costs cycles (may not be an issue)
- know the difference between $HOST (parsed from the syslog header) and
$HOST_FROM (the origin of the packet)

Enjoy!

On Mon, 2011-12-12 at 12:05 +0100, Thomas Wollner wrote:
> Hello,
> 
> to separate the destination logfiles for each host, use the following
> 
> destination d_file_foreach_host {
>   file("/var/log/$FULLHOST.log");
> }
> 
> 
> log {
>   source(s_all);
>   destination(d_file_foreach_host),
> };
> 
> hope it helps,
> regards,
> 
> Tom
> 
> 
> 
> Zitat von "tokie at tiscali.it" <tokie at tiscali.it>:
> 
> >> Try using the netmask filter.
> >
> >> filter f_host_a_b_c_d {
> >>  netmask
> > ("a.b.c.d/32");
> >>  };
> >
> > Tks for reply,
> > I tried but don't work!
> > More
> > specific:
> > I wish that all devicies in my network, logging into a
> > specific file on syslog server.
> >
> > Now all files log all devicies!!
> > I
> > have the same result in different
> > file(100.log, 101.log, and so on)
> >
> >
> > Must I use iptables's match?? How??
> >
> > tks
> > Tokie
> >
> > p.s.:
> > netmask("a.b.c.
> >
> > d/32") or netmask("a.b.c.d/255.255.255.255") ???
> >
> > ----Messaggio
> > originale----
> > Da: syslog-ng-request at lists.balabit.hu
> > Data: 10/12/2011
> > 12.00
> > A: <syslog-ng at lists.balabit.hu>
> > Ogg: syslog-ng Digest, Vol 80,
> > Issue 15
> >
> > Send syslog-ng mailing list submissions to
> > 	syslog-ng at lists.
> > balabit.hu
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > or, via email, send
> > a message with subject or body 'help' to
> > 	syslog-ng-request at lists.
> > balabit.hu
> >
> > You can reach the person managing the list at
> > 	syslog-ng-
> > owner at lists.balabit.hu
> >
> > When replying, please edit your Subject line so
> > it is more specific
> > than "Re: Contents of syslog-ng digest..."
> >
> >
> >
> > Today's Topics:
> >
> >    1. Re:  syslog-ng 3.3.3 repeatedly writes same
> > message to local
> >       file when forwarding enabled (Dave Haywood)
> >
> > 2. Re:  Log only one host (tokie at tiscali.it)
> >    3. Re:  Log to syslog
> > file, filter from fifo (Balazs Scheidler)
> >    4.  [Bug 146] pdbtool
> > match does not display tags
> >       (bugzilla at bugzilla.balabit.com)
> >
> >
> >
> > ----------------------------------------------------------------------
> >
> >
> > Message: 1
> > Date: Fri, 09 Dec 2011 11:22:24 +0000
> > From: Dave Haywood
> > <tla at oak.selfip.net>
> > Subject: Re: [syslog-ng] syslog-ng 3.3.3
> > repeatedly writes same
> > 	message to local file when forwarding enabled
> >
> > To: Syslog-ng users' and developers' mailing list
> > 	<syslog-ng at lists.
> > balabit.hu>
> > Cc: Sandor Geller <Sandor.Geller at morganstanley.com>
> > Message-
> > ID: <4EE1EF70.1060001 at oak.selfip.net>
> > Content-Type: text/plain;
> > charset=ISO-8859-1
> >
> > On 09/12/2011 09:53, Sandor Geller wrote:
> >> Sounds
> > like messages sent to 192.168.0.7 are feeded back to syslog-ng
> >> so
> > there is a logging loop. Is this address local? When not then there
> >>
> > is a chance that the packet filter rule isn't correct.
> >   Thanks!  You
> > were right, the issue was with the iptables rule.  I
> > was trying to
> > capture traffic from localhost to port 514 and
> > redirect it to 1514
> > using NAT table OUTPUT.  I use this for testing
> > every facility /
> > severity combination during install.  But I didn't
> > specify a
> > destination host (of the local IP address); I only
> > specified the port.
> > This meant and traffic forwarded to a remote
> > host is redirected by
> > iptables back to the localhost, causing a loop.
> >
> >   Thanks for the help
> > :)
> >
> >>
> >> On Fri, Dec 9, 2011 at 10:34 AM, Dave Haywood <tla at oak.selfip.
> > net> wrote:
> >>> Hi,
> >>>
> >>>  I have a problem with syslog-ng 3.3.3.  When
> > I have forwarding enabled to a remote syslog server (via UDP) syslog-ng
> > repeatedly writes the same message(s) to the log file and only stops
> > when the disk is full.  Using tcpdump on the remote server, I don't see
> > any data arrive from the syslog-ng server so forwarding is not working
> > either.
> >>>
> >>>  When I remove the forwarding part of the config file the
> > local file is written correctly (ie once).  If I remove the local file
> > part from the config file and only enable the forwarding, I see syslog-
> > ng take all the CPU time.  I never see any syslog messages arrive at
> > the remote syslog server.
> >>>
> >>>  I tried:
> >>>        1) disabling IPv6 -
> > no change
> >>>        2) running outside the chroot jail - no change
> >
> >>>        3) running as userid root - no change
> >>>
> >>>  Does anyone have
> > any idea what would cause this?  Debug info below.
> >>>
> >>>  The
> > environment is:
> >>>
> >>> RedHat AS 4.8 (linux 2.6.9-89.ELsmp) on vmware
> > ESXi 4.1.0
> >>>
> >>> All required software built and installed in
> > /usr/local/ :
> >>>
> >>> eventlog_0.2.12.tar.gz
> >>> gettext-0.18.1.1.tar.gz
> >
> >>> glib-2.29.90.tar.bz2
> >>> libdbi-0.8.4.tar.gz
> >>> libdbi-drivers-0.8.3.
> > tar.gz
> >>> libffi-3.0.9.tar.gz
> >>> libnet-0.10.11.tar.gz
> >>> pkg-config-
> > 0.26.tar.gz
> >>> Python-2.7.2.tar.bz2
> >>> zlib-1.2.5.tar.bz2
> >>> syslog-
> > ng_3.3.3.tar.gz
> >>>
> >>> syslog-ng is running chroot() in directory /data
> > as user
> >
> >
> > E' nata indoona: chiama, videochiama e messaggia Gratis. Scarica   
> > indoona per iPhone, Android e PC: http://www.indoona.com/
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:   
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list