[syslog-ng] sylog-ng filters not working

Wed Aug 3 19:43:00 CEST 2016

Hello,

The log message is the following from the strace:
> <182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]...

As I see the IP address is ::1 in the message, as the hostname (or IP
address) comes after the timestamp.

So in this case the IPv4 filter won't kick in for an IPv6 address.

Kind regards,
Gergely Csordás

On 08/03/2016 07:22 PM, Harsha S Aryan wrote:
>
> Still same issue
>
>
> On Aug 3, 2016 10:35 PM, "SZIGETVÁRI János" <jszigetvari at gmail.com
> <mailto:jszigetvari at gmail.com>> wrote:
>
>     Hello Christian,
>
>     Syslog-ng would issue a warning had there been a syntax error.
>     (You can check your config files for syntax errors with the -svf
>     <configfile> parameters set.)
>
>     To me it seems that the filter you've set up for that specific IP
>     range "f_devenv01_04net" is not the same that you seem to be using
>     in your log stanza ("f_devenv_04net").
>
>     Best Regards,
>     János Szigetvári
>
>     -- 
>     Janos SZIGETVARI
>     RHCE, License no. 150-053-692
>     <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
>
>     __ at __˚V˚
>     Make the switch to open (source) applications, protocols, formats now:
>     - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
>     - msn -> jabber protocol (Pidgin, Google Talk)
>     - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
>
>
>     2016-08-03 17:52 GMT+02:00 Christian Turner <cturner at highroads.com
>     <mailto:cturner at highroads.com>>:
>
>         Hi,
>
>          
>
>         I have the following filter configured;
>
>          
>
>         source src_devenv01                    { udp(ip(0.0.0.0)
>         port(514)); };
>
>         filter f_devenv01_04net              { netmask(10.22.209.0/24
>         <http://10.22.209.0/24>); };
>
>         destination d_devenv_04net      {
>         file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log");
>         };
>
>         log                                                    {
>         source(src_devenv01); filter(f_devenv_04net);
>         destination(d_devenv_04net); flags(final); };
>
>          
>
>         However, the filter does not work, and the logs from this
>         source all go to the generic logging destination.
>
>          
>
>         I perform an strace and I can see that the IP appears as
>         expected, so I’m figuring I have a syntax error somewhere;
>
>          
>
>         [pid 28481] recvfrom(11, "<182>1
>         2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0,
>         {sa_family=AF_INET, sin_port=htons(58785),
>         sin_addr=inet_addr("*10.22.209.10*")}, [16]) = 265
>
>          
>
>         *Christian Turner*
>
>          
>
>
>         ______________________________________________________________________________
>         Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>         Documentation:
>         http://www.balabit.com/support/documentation/?product=syslog-ng
>         FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
>
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

-- 
GPG: F9F734B5

Ezen üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett használhatja fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie. Az üzenet az elküldés előtt vírusellenőrzésen nem esett át és a vírusmentességére nincs semmilyen garancia, ezért kérjük, ellenőrizze azt!

Email communication is confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email you must neither take any action based upon its contents nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160803/aeeb9591/attachment.htm 