[syslog-ng] Regex Solaris from Linux hosts in Syslog-ng config file

Evan Rempel erempel at uvic.ca
Fri Oct 30 01:54:35 CET 2015 

Before I get too deep into how this is done, can I ask why you want to
separate your logs for solaris and linux?


On 10/29/2015 01:06 PM, vijay amruth wrote:
> Thank you Evan.
>
> Right now, we add a solaris server everytime we spin one,
>
> its like this,
>
> filter f_solaris {
>         host('x.x.x.x') or host('x.x.x.2') or
>         host('x.x.x.3') or host('x.x.x.4') or
>         host('hostname1) or (hostname2)
>         }
>
> So everytime we spin a server we just go and add it manually to the 
> config file, either with its host name or the ip.
> I want to be able to automate with filter functions and or regex so 
> that I don't have to add manually to the config file on the server 
> everytime.
> There is a similar config for linux hosts too
>
> Hope I am clear. Appreciate you taking your time out for this.
>
> ~Vj
>
>
>
> On Thu, Oct 29, 2015 at 12:51 PM, Evan Rempel <erempel at uvic.ca 
> <mailto:erempel at uvic.ca>> wrote:
>
>     The syslog server has to listen on the ipaddress:port combination.
>     The solaris hosts need to syslog to the new ipaddress:port
>     combination.
>
>     Since I don't know how you are processing your log lines in your
>     syslog-ng configuration it is difficult to provide a lot of
>     guidance, but here are a couple of examples.
>
>     ---- option #1
>     Using a completely different source. - you must fill in the IP
>     addresses and port numbers
>
>     source s_regular_syslog {
>             tcp(localip(regularIP) port(regularPort)
>     max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
>     tags("regular_syslog") );
>             };
>
>     source s_solaris_syslog {
>             tcp(localip(solarisIP) port(solarisPort)
>     max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
>     tags("solaris_syslog") );
>             };
>
>
>     log { source(s_regular_syslog); destination(d_regular_destination); };
>     log { source(s_solaris_syslog); destination(d_solaris_syslog); };
>
>
>     ---- option #2
>     Using a tagged source. - you must fill in the IP addresses and
>     port numbers
>
>     source s_all_syslog {
>             tcp(localip(regularIP) port(regularPort)
>     max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
>     tags("regular_syslog") );
>             tcp(localip(solarisIP) port(solarisPort)
>     max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000)
>     tags("solaris_syslog") );
>             };
>
>     filter f_solaris { tags("solaris_syslog"); };
>
>     log {
>         source(s_all_syslog)
>         log { filter(f_solaris); destination(d_solaris_syslog);
>     flags(final); };
>         log { destination(d_regular_destination); };
>     };
>
>
>
>     I hope that gives you the basics of what is needed.
>
>
>     On 10/29/2015 12:41 PM, vijay amruth wrote:
>>     Thank you Evan, great idea!
>>     Can we achieve this with regex on syslog-ng.conf file on the
>>     server side?
>>
>>     Thank you,
>>     ~Vj
>>
>>     On Thu, Oct 29, 2015 at 12:25 PM, Evan Rempel <erempel at uvic.ca
>>     <mailto:erempel at uvic.ca>> wrote:
>>
>>         You could use a second interface on the syslog servers and
>>         configure the solaris servers to use this alternate IP address.
>>         You could also use a different port.
>>         Then you could tag the source with "solaris" and then use the
>>         tag filtering to separate those message out of the mix.
>>
>>         Just my $0.02
>>
>>
>>         On 10/29/2015 12:22 PM, vijay amruth wrote:
>>>         Thank you fo rthe reply Balazs.
>>>
>>>         Can we use filter functions like this below ?
>>>
>>>         filter f_solaris {
>>>                 host('uname == solaris') }
>>>
>>>         My idea is to identify solaris servers.
>>>
>>>         Thanks all,
>>>         ~Vj
>>>
>>>         On Thu, Oct 29, 2015 at 12:59 AM, Balazs Scheidler
>>>         <bazsi77 at gmail.com <mailto:bazsi77 at gmail.com>> wrote:
>>>
>>>             Well, probably the only sensible way is to filter based
>>>             on IP addresses.
>>>
>>>             On Oct 29, 2015 6:09 AM, "vijay amruth"
>>>             <vijayamruth at gmail.com <mailto:vijayamruth at gmail.com>>
>>>             wrote:
>>>
>>>                 Hello All,
>>>
>>>                 We are drawing logs from several hosts which include
>>>                 solaris(10,11) , linux (centos, ubuntu, rhel) into
>>>                 syslog servers, I want to be able to separate
>>>                 solaris logs, is there any pattern we can match for
>>>                 solaris logs that you may know ?
>>>
>>>                 Thanks,
>>>                 Vijay Amrut.
>>>
>>>                 ______________________________________________________________________________
>>>                 Member info:
>>>                 https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>                 Documentation:
>>>                 http://www.balabit.com/support/documentation/?product=syslog-ng
>>>                 FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>>             ______________________________________________________________________________
>>>             Member info:
>>>             https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>             Documentation:
>>>             http://www.balabit.com/support/documentation/?product=syslog-ng
>>>             FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>>
>>>
>>>         -- 
>>>         Thanks,
>>>         Vijay Amrut.
>>>
>>
>>
>>         ______________________________________________________________________________
>>         Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>         Documentation:
>>         http://www.balabit.com/support/documentation/?product=syslog-ng
>>         FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>>
>>
>>     -- 
>>     Thanks,
>>     Vijay Amrut.
>>
>>
>>     ______________________________________________________________________________
>>     Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>     Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>     FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
>     -- 
>     Evan Rempelerempel at uvic.ca <mailto:erempel at uvic.ca>
>     Senior Systems Administrator250.721.7691 <tel:250.721.7691>
>     Data Centre Services, University Systems, University of Victoria
>
>
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
>
> -- 
> Thanks,
> Vijay Amrut.
>
>
> This body part will be downloaded on demand.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151029/0c51607f/attachment-0001.htm

More information about the syslog-ng mailing list