[syslog-ng] Regex Solaris from Linux hosts in Syslog-ng config file
vijay amruth
vijayamruth at gmail.com
Thu Nov 5 00:44:29 CET 2015
Thank you Evan, I just recommended that option.
I'll keep you posted.
~Vj
On Mon, Nov 2, 2015 at 2:36 PM, Evan Rempel <erempel at uvic.ca> wrote:
> If all of the solaris hosts log to a different port or IP address, then
> there is no need to place hosts into the syslog configuration file.
> Every log message sent to the special IP/port is assumed to be from a
> solaris host. Then you just store them into a destination of your choosing.
>
> Evan.
>
>
> On 11/02/2015 02:18 PM, vijay amruth wrote:
>
> @Evan, Right now we are just adding the hosts manually to the syslog file
> if there is way by which I don't need to add the hosts manually to the
> file.
>
> ~Vijay
>
> On Thu, Oct 29, 2015 at 5:54 PM, Evan Rempel <erempel at uvic.ca> wrote:
>
>> Before I get too deep into how this is done, can I ask why you want to
>> separate your logs for solaris and linux?
>>
>>
>>
>> On 10/29/2015 01:06 PM, vijay amruth wrote:
>>
>> Thank you Evan.
>>
>> Right now, we add a solaris server everytime we spin one,
>>
>> its like this,
>>
>> filter f_solaris {
>> host('x.x.x.x') or host('x.x.x.2') or
>> host('x.x.x.3') or host('x.x.x.4') or
>> host('hostname1) or (hostname2)
>> }
>>
>> So everytime we spin a server we just go and add it manually to the
>> config file, either with its host name or the ip.
>> I want to be able to automate with filter functions and or regex so that
>> I don't have to add manually to the config file on the server everytime.
>> There is a similar config for linux hosts too
>>
>> Hope I am clear. Appreciate you taking your time out for this.
>>
>> ~Vj
>>
>>
>>
>> On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel < <erempel at uvic.ca>
>> erempel at uvic.ca> wrote:
>>
>>> The syslog server has to listen on the ipaddress:port combination.
>>> The solaris hosts need to syslog to the new ipaddress:port combination.
>>>
>>> Since I don't know how you are processing your log lines in your
>>> syslog-ng configuration it is difficult to provide a lot of guidance, but
>>> here are a couple of examples.
>>>
>>> ---- option #1
>>> Using a completely different source. - you must fill in the IP addresses
>>> and port numbers
>>>
>>> source s_regular_syslog {
>>> tcp(localip(regularIP) port(regularPort) max_connections(5000)
>>> log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
>>> };
>>>
>>> source s_solaris_syslog {
>>> tcp(localip(solarisIP) port(solarisPort) max_connections(5000)
>>> log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
>>> };
>>>
>>>
>>> log { source(s_regular_syslog); destination(d_regular_destination); };
>>> log { source(s_solaris_syslog); destination(d_solaris_syslog); };
>>>
>>>
>>> ---- option #2
>>> Using a tagged source. - you must fill in the IP addresses and port
>>> numbers
>>>
>>> source s_all_syslog {
>>> tcp(localip(regularIP) port(regularPort) max_connections(5000)
>>> log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
>>> tcp(localip(solarisIP) port(solarisPort) max_connections(5000)
>>> log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
>>> };
>>>
>>> filter f_solaris { tags("solaris_syslog"); };
>>>
>>> log {
>>> source(s_all_syslog)
>>> log { filter(f_solaris); destination(d_solaris_syslog);
>>> flags(final); };
>>> log { destination(d_regular_destination); };
>>> };
>>>
>>>
>>>
>>> I hope that gives you the basics of what is needed.
>>>
>>>
>>> On 10/29/2015 12:41 PM, vijay amruth wrote:
>>>
>>> Thank you Evan, great idea!
>>> Can we achieve this with regex on syslog-ng.conf file on the server side?
>>>
>>> Thank you,
>>> ~Vj
>>>
>>> On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel < <erempel at uvic.ca>
>>> erempel at uvic.ca> wrote:
>>>
>>>> You could use a second interface on the syslog servers and configure
>>>> the solaris servers to use this alternate IP address.
>>>> You could also use a different port.
>>>> Then you could tag the source with "solaris" and then use the tag
>>>> filtering to separate those message out of the mix.
>>>>
>>>> Just my $0.02
>>>>
>>>>
>>>> On 10/29/2015 12:22 PM, vijay amruth wrote:
>>>>
>>>> Thank you fo rthe reply Balazs.
>>>>
>>>> Can we use filter functions like this below ?
>>>>
>>>> filter f_solaris {
>>>> host('uname == solaris') }
>>>>
>>>> My idea is to identify solaris servers.
>>>>
>>>> Thanks all,
>>>> ~Vj
>>>>
>>>> On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <
>>>> <bazsi77 at gmail.com>bazsi77 at gmail.com> wrote:
>>>>
>>>>> Well, probably the only sensible way is to filter based on IP
>>>>> addresses.
>>>>> On Oct 29, 2015 6:09 AM, "vijay amruth" < <vijayamruth at gmail.com>
>>>>> vijayamruth at gmail.com> wrote:
>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> We are drawing logs from several hosts which include solaris(10,11) ,
>>>>>> linux (centos, ubuntu, rhel) into syslog servers, I want to be able to
>>>>>> separate solaris logs, is there any pattern we can match for solaris logs
>>>>>> that you may know ?
>>>>>>
>>>>>> Thanks,
>>>>>> Vijay Amrut.
>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________________
>>>>>> Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation:
>>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>> FAQ: <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Vijay Amrut.
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Vijay Amrut.
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>>
>> --
>> Thanks,
>> Vijay Amrut.
>>
>>
>
> --
> Thanks,
> Vijay Amrut.
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Thanks,
Vijay Amrut.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151104/a781c712/attachment-0001.htm
More information about the syslog-ng
mailing list