[syslog-ng] Host behind a NAT and multiple log files
Sandor Geller
Sandor.Geller at morganstanley.com
Wed Feb 6 17:26:38 CET 2013
Hi,
> I apologize, i forgot some important details like you said, i'm using udp
> protocol and the both APs are logging into one file, but i want to log into
> another file for second AP.
> Something like this
>
> 1 AP
> ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
> port 514 pass RULE pass
> RULE UDP 514
>
> 2 AP
> ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
> port 515 pass Rule
> pass Rule UDP 515
>
> I configure 2 sources, 2 destinations and 2 filters with these udp ports but
> without success.
you didn't configure both ports
> I wish to make some others tests like you said with tcpdump but i haven't
> remote access.
>
> Syslog's server knows in wich file has to write by the udp port?
although syslog-ng is quite advanced it doesn't have mind-reading
capabilities (yet) so you must tell it how to process messages
> I post my syslog-ng-conf
>
> source AP1 {
> udp();
instead of plain udp() you could use
udp(port(514));
although 514 is the default port but it won't hurt to set it explicitely
...
> source AP2 {
> udp();
and here use
udp(port(515));
so syslog-ng will actually listen on the port
your filters imply dynamic DNS so I'm not sure that it is a good idea
to use hostnames for filtering (especially when you're using the
*same* hostname for two different devices so unless NAT is involved at
least one filter won't match on incoming logs). Just remove the
filters and when the logs are written to disk you can add back /
refine the filtering.
hth,
Sandor
More information about the syslog-ng
mailing list