[syslog-ng] Filter netmask not working as expected

Agus agus.262 at gmail.com
Tue Nov 20 16:48:55 CET 2012 

Thanks for the reply!

I started it in Foreground and sent only one log from my mac.. this is the
result. And at the bottom i pasted my conf which is very basic and short as
i am testing this.

Incoming log entry; line='<190>Nov 20 12:22:20 Gandalf brahama[90151]: test
mymac\x0a'
Filter rule evaluation begins; rule='f_casper',
location='/usr/local/etc/syslog-ng.conf:58:18'
Filter node evaluation result; result='not-match'
Filter rule evaluation result; result='not-match', rule='f_casper',
location='/usr/local/etc/syslog-ng.conf:58:18'
Filter rule evaluation begins; rule='f_my_mac',
location='/usr/local/etc/syslog-ng.conf:54:18'
Filter node evaluation result; result='match'
Filter rule evaluation result; result='match', rule='f_my_mac',
location='/usr/local/etc/syslog-ng.conf:54:18'
Initializing destination file writer; template='/var/log/mymac',
filename='/var/log/mymac'
Initializing destination file writer; template='/var/log/messages',
filename='/var/log/messages'

Incoming log entry; line='<142>Nov 20 12:44:49 Gandalf brahama[90207]: test
mymac\x0a'
Filter rule evaluation begins; rule='f_my_mac',
location='/usr/local/etc/syslog-ng.conf:54:18'
Filter node evaluation result; result='match'
Filter rule evaluation result; result='match', rule='f_my_mac',
location='/usr/local/etc/syslog-ng.conf:54:18'

syslog-ng shutting down; version='3.4.0alpha3'
Closing log transport fd; fd='7'
Closing log transport fd; fd='20'
Closing log transport fd; fd='21'
Running application hooks; hook='4'


------------

And this is my configuration. the entire file

@version: 3.4
@include "scl.conf"


options {
keep_hostname(yes);
normalize_hostnames(yes);
threaded(yes);
ts_format(iso);
use_fqdn(yes);
};



source s_local {
system();
internal();
};

source s_network {
udp(so_rcvbuf(1048576));
};





destination d_my_mac {
file("/var/log/mymac");
};

destination d_casper {
file("/var/log/$HOST");
};



filter f_my_mac {
netmask(10.24.18.0/255.255.255.0);
};

filter f_casper {
netmask(10.24.150.192/255.255.255.255);
};


log {
source(s_network);
filter(f_my_mac);
destination(d_my_mac);
flags(final);
};

destination d_local {
file("/var/log/messages");
};
log {
source(s_network);
destination(d_local);
};

-------------------------------------------------

Still seeing the log on both files messages and mymac :S

Thanks!


2012/11/20 Balazs Scheidler <bazsi77 at gmail.com>

> **
>
> hi,
>
> if you reference a source from two log statements both will get a copy of
> the same message. in the 2nd statement you request to send messages to
> d_local without filtering. that includes your ip too.
>
> ahh, i see you are using flags(final), that should do the trick if the
> message is received on the same source (e.g. s_network). are you sure this
> is the case?
>
> also, you can start syslog-ng in the foreground, enabling debug messages
> which should help you to narrow the problem further down.
>
> # syslog-ng -Fedv
>
>
> ----- Original message -----
> > Hi guys,
> >
> > Just new, and created the following conf for testing purposes. The
> > problem is that i get the logs in both destinations despite the filter.
> >
> > @version: 3.4
> > @include "scl.conf"
> >
> > options {
> >                keep_hostname(yes);
> >                normalize_hostnames(yes);
> >                threaded(yes);
> >                ts_format(iso); # Adds TZ
> >                #use_fqdn(yes);
> >                use_dns(no);
> > };
> >
> > source s_local {
> >                system();
> >                internal();
> > };
> >
> > source s_network {
> >                udp();
> > };
> >
> > destination d_local {
> >                file("/var/log/messages");
> > };
> >
> > destination d_my_mac {
> >                file("/var/log/mymac");
> > };
> >
> > filter f_my_mac {
> >                netmask(10.24.18.2/255.255.255.255);
> > };
> >
> > log {
> >                source(s_network);
> >                filter(f_my_mac);
> >                destination(d_my_mac);
> >                flags(final);
> > };
> >
> > log {
> >                source(s_local);
> >                # uncomment this line to open port 514 to receive
> messages
> >                source(s_network);
> >                #destination(d_central_udp);
> >                destination(d_local);
> > };
> >
> >
> > as netmask i also tried cidr /24 and same thing. The problem is that i
> > get the logs in both destinations. I only want to have them in my_mac
> >
> > Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121120/7fa7b16c/attachment.htm

More information about the syslog-ng mailing list