[syslog-ng] Quick set of eyeballs on this

James Lay jlay at slave-tothe-box.net
Mon Aug 25 23:47:44 CEST 2014


On 2014-08-25 15:39, Balint Kovacs wrote:
> Hi,
>
>  just a guess, but as far as i can remember, the ASA-* part is 
> usually
> in the program field, try the program() filter instead of message() 
> in
> f_firewall.
>
>  Balint
>
> On 2014. augusztus 25. 22:48:05 CEST, James Lay
> <jlay at slave-tothe-box.net> wrote:
>
>> Can anyone see anything blatantly wrong with this? The goal is to
>> syslog as usual, but to forward firewall messages to a different
>> server.
>> Thanks for looking all.
>>
>> James
>>
>> @version:3.3.5
>> options {
>> use_dns(no);
>> flush_lines(0);
>> stats_freq(43200);
>> };
>>
>> source s_local {
>> unix-stream("/dev/log");
>> udp(ip(0.0.0.0) port(514));
>> tcp(ip(0.0.0.0) port(514));
>> file("/proc/kmsg");
>> };
>>
>> destination d_file {
>> file("/var/log/messages");
>> };
>>
>> destination d_syslogserver { udp ("x.x.x.x", port(7514)); };
>>
>> filter f_syslogfilter {
>> not (
>> message("0x0004")
>> or message("169.254.")
>> or message("192.168.")
>> );
>> };
>>
>> filter f_firewall {
>> message("ASA-4-71005")
>>
>> or
>> message("ASA-2-106100")
>> };
>>
>> log {
>> source(s_local);
>> filter(f_syslogfilter);
>> destination(d_file);
>> };
>>
>> log {
>> source(s_local);
>> filter(f_firewall);
>> destination(d_syslogserver);
>> };
>>
>> -------------------------

Ah thank you...I've just been testing using logger.  I'll adjust and 
try this with program().  Thanks again.

James



More information about the syslog-ng mailing list