[syslog-ng] Regex Solaris from Linux hosts in Syslog-ng config file

Jakub Jankowski shasta at toxcorp.com
Sun Nov 1 11:57:13 CET 2015

On 30.10.2015 16:15, PÁSZTOR György wrote:
> Hello vijay,
> "Evan Rempel" <erempel at uvic.ca> írta 2015-10-29 17:54-kor:
>> Before I get too deep into how this is done, can I ask why you want to
>> separate your logs for solaris and linux?
>> On 10/29/2015 01:06 PM, vijay amruth wrote:
>>> Thank you Evan.
>>> Right now, we add a solaris server everytime we spin one,
>>> its like this,
>>> filter f_solaris {
>>>         host('x.x.x.x') or host('x.x.x.2') or
>>>         host('x.x.x.3') or host('x.x.x.4') or
>>>         host('hostname1) or (hostname2)
>>>         }
>>> So everytime we spin a server we just go and add it manually to the
>>> config file, either with its host name or the ip.
>>> I want to be able to automate with filter functions and or regex so
>>> that I don't have to add manually to the config file on the server
>>> everytime.
>>> There is a similar config for linux hosts too
>>> Hope I am clear. Appreciate you taking your time out for this.
> [... snip ...]
> I can not imagine a solution, why should linux and solaris clients have the
> same config.
> But if we assume this ridiculous idea, and the only distinction you have
> the IP address list, you still have an option to handle this situation
> well:
> If the receiving machine is a linuxbox, then you can create an iptables
> rule, and match for linux clients, and DNAT the logs, which would come to
> this imaginary 1001 port, and redirect them to port 1002.
> and do another dnat rule, which would match for solaris client and would
> redirect trafic which would come to port 1001 to reach port 1003.
> A simple example:
> iptables -t nat -I PREROUTING -s -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002
> A better solution, if you do not match the linux clients based on this kind
> of single IP address. Use an ipset match rule instead of this.
> In that case you need only two iptables rule, and some ipset maintenance.
> eg. the mentioned iptables rule would be this:
> iptables -t nat -I PREROUTIGN -m set --match-set linux src -m tcp -p tcp --dport 1001 -j REDIRECT --to-port 1002
> And the set creation:
> ipset create linux hash:ip
> ipset add linux
> ipset add linux
> ...
> Once you are done with that you can save the rules, and restore them on
> boot time.
> Saving:
> ipset save >/etc/myipset
> Restoring:
> ipset restore </etc/myipset
> Some thing, you need to care about:
> Do first the restore, and then to load the iptables rule!
> The iptables rule need the ipset to be already created. It does not matter
> if you did not load any entry into it. But it will not allow your iptables
> rule regarding a set, until the set not exists.

Well, how is this any better than specifying client's IP 
addresses/hostnames in syslog-ng.conf?
> I hope you have enough lego blocks in your hand now to solve the problem in
> an effective way! ;-)
> Kind regards,
> Gyu

Let me suggest another idea: if Vijay has control over client's 
hostname, you could devise a simple host naming scheme, where you encode 
some metadata in client's hostname, for example: you could name all 
Solaris client's with a hostname that starts with "s", and all Linux 
clients with a hostname that starts with "l", then it's dead easy to 
match that in syslog-ng configuration. Downside is that it is painful to 
introduce. But you could use a mixed approach, where all the existing 
clients keep their hostnames (and you put them explicitly in the 
filter), and all the new ones get named with this naming scheme.


Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D

More information about the syslog-ng mailing list