[syslog-ng] sylog-ng filters not working

SZIGETVÁRI János jszigetvari at gmail.com
Wed Aug 3 19:04:25 CEST 2016


Hello Christian,

Syslog-ng would issue a warning had there been a syntax error. (You can
check your config files for syntax errors with the -svf <configfile>
parameters set.)

To me it seems that the filter you've set up for that specific IP range
"f_devenv01_04net" is not the same that you seem to be using in your log
stanza ("f_devenv_04net").

Best Regards,
János Szigetvári

-- 
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp


2016-08-03 17:52 GMT+02:00 Christian Turner <cturner at highroads.com>:

> Hi,
>
>
>
> I have the following filter configured;
>
>
>
> source src_devenv01                    { udp(ip(0.0.0.0) port(514)); };
>
> filter f_devenv01_04net              { netmask(10.22.209.0/24); };
>
> destination d_devenv_04net      {
> file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
>
> log                                                    {
> source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net);
> flags(final); };
>
>
>
> However, the filter does not work, and the logs from this source all go to
> the generic logging destination.
>
>
>
> I perform an strace and I can see that the IP appears as expected, so I’m
> figuring I have a syntax error somewhere;
>
>
>
> [pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1
> [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785),
> sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
>
>
>
> *Christian Turner*
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160803/d372d4cb/attachment.htm 


More information about the syslog-ng mailing list