[syslog-ng] Regex Solaris from Linux hosts in Syslog-ng config file

Evan Rempel erempel at uvic.ca
Mon Nov 2 23:36:52 CET 2015 

If all of the solaris hosts log to a different port or IP address, then there is no need to place hosts into the syslog configuration file.
Every log message sent to the special IP/port is assumed to be from a solaris host. Then you just store them into a destination of your choosing.

Evan.

On 11/02/2015 02:18 PM, vijay amruth wrote:
> @Evan, Right now we are just adding the hosts manually to the syslog file if there is way by which I don't need to add the hosts manually to the file.
>
> ~Vijay
>
> On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>
>     Before I get too deep into how this is done, can I ask why you want to
>     separate your logs for solaris and linux?
>
>
>
>     On 10/29/2015 01:06 PM, vijay amruth wrote:
>>     Thank you Evan.
>>
>>     Right now, we add a solaris server everytime we spin one,
>>
>>     its like this,
>>
>>     filter f_solaris {
>>             host('x.x.x.x') or host('x.x.x.2') or
>>             host('x.x.x.3') or host('x.x.x.4') or
>>             host('hostname1) or (hostname2)
>>             }
>>
>>     So everytime we spin a server we just go and add it manually to the config file, either with its host name or the ip.
>>     I want to be able to automate with filter functions and or regex so that I don't have to add manually to the config file on the server everytime.
>>     There is a similar config for linux hosts too
>>
>>     Hope I am clear. Appreciate you taking your time out for this.
>>
>>     ~Vj
>>
>>
>>
>>     On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>>
>>         The syslog server has to listen on the ipaddress:port combination.
>>         The solaris hosts need to syslog to the new ipaddress:port combination.
>>
>>         Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.
>>
>>         ---- option #1
>>         Using a completely different source. - you must fill in the IP addresses and port numbers
>>
>>         source s_regular_syslog {
>>                 tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
>>                 };
>>
>>         source s_solaris_syslog {
>>                 tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
>>                 };
>>
>>
>>         log { source(s_regular_syslog); destination(d_regular_destination); };
>>         log { source(s_solaris_syslog); destination(d_solaris_syslog); };
>>
>>
>>         ---- option #2
>>         Using a tagged source. - you must fill in the IP addresses and port numbers
>>
>>         source s_all_syslog {
>>                 tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
>>                 tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
>>                 };
>>
>>         filter f_solaris { tags("solaris_syslog"); };
>>
>>         log {
>>             source(s_all_syslog)
>>             log { filter(f_solaris); destination(d_solaris_syslog); flags(final); };
>>             log { destination(d_regular_destination); };
>>         };
>>
>>
>>
>>         I hope that gives you the basics of what is needed.
>>
>>
>>         On 10/29/2015 12:41 PM, vijay amruth wrote:
>>>         Thank you Evan, great idea!
>>>         Can we achieve this with regex on syslog-ng.conf file on the server side?
>>>
>>>         Thank you,
>>>         ~Vj
>>>
>>>         On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>>>
>>>             You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address.
>>>             You could also use a different port.
>>>             Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.
>>>
>>>             Just my $0.02
>>>
>>>
>>>             On 10/29/2015 12:22 PM, vijay amruth wrote:
>>>>             Thank you fo rthe reply Balazs.
>>>>
>>>>             Can we use filter functions like this below ?
>>>>
>>>>             filter f_solaris {
>>>>             host('uname == solaris') }
>>>>
>>>>             My idea is to identify solaris servers.
>>>>
>>>>             Thanks all,
>>>>             ~Vj
>>>>
>>>>             On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <bazsi77 at gmail.com <mailto:bazsi77 at gmail.com>> wrote:
>>>>
>>>>                 Well, probably the only sensible way is to filter based on IP addresses.
>>>>
>>>>                 On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth at gmail.com <mailto:vijayamruth at gmail.com>> wrote:
>>>>
>>>>                     Hello All,
>>>>
>>>>                     We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?
>>>>
>>>>                     Thanks,
>>>>                     Vijay Amrut.
>>>>
>>>>                     ______________________________________________________________________________
>>>>                     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>                     Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>                     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>>                 ______________________________________________________________________________
>>>>                 Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>                 Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>                 FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             -- 
>>>>             Thanks,
>>>>             Vijay Amrut.
>>>>
>>>
>>>
>>>             ______________________________________________________________________________
>>>             Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>             Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>             FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>>
>>>
>>>         -- 
>>>         Thanks,
>>>         Vijay Amrut.
>>>
>>>
>>>         ______________________________________________________________________________
>>>         Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>         Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>>         FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>
>>
>>
>>         ______________________________________________________________________________
>>         Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>         Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>         FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>>
>>
>>     -- 
>>     Thanks,
>>     Vijay Amrut.
>
>
>
> -- 
> Thanks,
> Vijay Amrut.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151102/1fa0bf14/attachment-0001.htm

More information about the syslog-ng mailing list