[syslog-ng] Host behind a NAT and multiple log files

Sandor Geller Sandor.Geller at morganstanley.com
Wed Feb 6 17:26:38 CET 2013


Hi,

> I apologize, i forgot some important details like you said, i'm using udp
> protocol and the both APs are logging into one file, but i want to log into
> another file for second AP.
> Something like this
>
> 1 AP
> ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
> port 514         pass RULE                                           pass
> RULE          UDP 514
>
> 2 AP
> ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
> port 515         pass Rule
> pass Rule         UDP 515
>
> I configure 2 sources, 2 destinations and 2 filters with these udp ports but
> without success.

you didn't configure both ports

> I wish to make some others tests like you said with tcpdump but i haven't
> remote access.
>
> Syslog's server knows in wich file has to write by the udp port?

although syslog-ng is quite advanced it doesn't have mind-reading
capabilities (yet) so you must tell it how to process messages

> I post my syslog-ng-conf
>
> source AP1 {
>   udp();

instead of plain udp() you could use

udp(port(514));

although 514 is the default port but it won't hurt to set it explicitely

...

> source AP2 {
>   udp();

and here use

udp(port(515));

so syslog-ng will actually listen on the port

your filters imply dynamic DNS so I'm not sure that it is a good idea
to use hostnames for filtering (especially when you're using the
*same* hostname for two different devices so unless NAT is involved at
least one filter won't match on incoming logs). Just remove the
filters and when the logs are written to disk you can add back /
refine the filtering.

hth,

Sandor


More information about the syslog-ng mailing list