[syslog-ng] Regex Solaris from Linux hosts in Syslog-ng config file

Evan Rempel erempel at uvic.ca
Thu Oct 29 20:51:32 CET 2015 

The syslog server has to listen on the ipaddress:port combination.
The solaris hosts need to syslog to the new ipaddress:port combination.

Since I don't know how you are processing your log lines in your syslog-ng configuration it is difficult to provide a lot of guidance, but here are a couple of examples.

---- option #1
Using a completely different source. - you must fill in the IP addresses and port numbers

source s_regular_syslog {
         tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
         };

source s_solaris_syslog {
         tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
         };


log { source(s_regular_syslog); destination(d_regular_destination); };
log { source(s_solaris_syslog); destination(d_solaris_syslog); };


---- option #2
Using a tagged source. - you must fill in the IP addresses and port numbers

source s_all_syslog {
         tcp(localip(regularIP) port(regularPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("regular_syslog") );
         tcp(localip(solarisIP) port(solarisPort) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) tags("solaris_syslog") );
         };

filter f_solaris { tags("solaris_syslog"); };

log {
     source(s_all_syslog)
     log { filter(f_solaris); destination(d_solaris_syslog); flags(final); };
log { destination(d_regular_destination); };
};



I hope that gives you the basics of what is needed.

On 10/29/2015 12:41 PM, vijay amruth wrote:
> Thank you Evan, great idea!
> Can we achieve this with regex on syslog-ng.conf file on the server side?
>
> Thank you,
> ~Vj
>
> On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>
>     You could use a second interface on the syslog servers and configure the solaris servers to use this alternate IP address.
>     You could also use a different port.
>     Then you could tag the source with "solaris" and then use the tag filtering to separate those message out of the mix.
>
>     Just my $0.02
>
>
>     On 10/29/2015 12:22 PM, vijay amruth wrote:
>>     Thank you fo rthe reply Balazs.
>>
>>     Can we use filter functions like this below ?
>>
>>     filter f_solaris {
>>             host('uname == solaris') }
>>
>>     My idea is to identify solaris servers.
>>
>>     Thanks all,
>>     ~Vj
>>
>>     On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler <bazsi77 at gmail.com <mailto:bazsi77 at gmail.com>> wrote:
>>
>>         Well, probably the only sensible way is to filter based on IP addresses.
>>
>>         On Oct 29, 2015 6:09 AM, "vijay amruth" <vijayamruth at gmail.com <mailto:vijayamruth at gmail.com>> wrote:
>>
>>             Hello All,
>>
>>             We are drawing logs from several hosts which include solaris(10,11) , linux (centos, ubuntu, rhel) into syslog servers, I want to be able to separate solaris logs, is there any pattern we can match for solaris logs that you may know ?
>>
>>             Thanks,
>>             Vijay Amrut.
>>
>>             ______________________________________________________________________________
>>             Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>             Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>             FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>>         ______________________________________________________________________________
>>         Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>         Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>         FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>>
>>
>>     -- 
>>     Thanks,
>>     Vijay Amrut.
>>
>
>
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
>
> -- 
> Thanks,
> Vijay Amrut.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


-- 
Evan Rempel                                      erempel at uvic.ca
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151029/d9cd901c/attachment-0001.htm

More information about the syslog-ng mailing list