[syslog-ng] sylog-ng filters not working
Christian Turner
cturner at highroads.com
Wed Aug 3 19:50:15 CEST 2016
@version: 3.2
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# https://www.balabit.com/support/documentation
#
@include "scl.conf"
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (2048);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (no);
stats_freq(86400);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};
### MYAPP Dev Logs ###
## DEVENV ##
source src_devenv { udp(ip(0.0.0.0) port(514)); };
filter f_devenv_01ui { netmask(10.22.206.0/24); };
filter f_devenv_02gw { netmask(10.22.207.0/24); };
filter f_devenv_03api { netmask(10.22.208.0/24); };
filter f_devenv_04net { netmask( "10.22.209.0/24" ); };
filter f_devenv_05bat { netmask(10.22.210.0/24); };
destination d_devenv_01ui { file("/mnt/syslogng/MYAPPlogs/DEVENV/01ui-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_02gw { file("/mnt/syslogng/MYAPPlogs/DEVENV/02gw-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_03api { file("/mnt/syslogng/MYAPPlogs/DEVENV/03api-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_04net { file("/mnt/syslogng/MYAPPlogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
destination d_devenv_05bat { file("/mnt/syslogng/MYAPPlogs/DEVENV/05bat-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv); filter(f_devenv_01ui); destination(d_devenv_01ui); };
log { source(src_devenv); filter(f_devenv_02gw); destination(d_devenv_02gw); };
log { source(src_devenv); filter(f_devenv_03api); destination(d_devenv_03api); };
log { source(src_devenv); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
log { source(src_devenv); filter(f_devenv_05bat); destination(d_devenv_05bat); };
## MYAPP ALL ##
source src_MYAPP { udp(ip(0.0.0.0) port(514)); };
destination d_MYAPP { file("/mnt/syslogng/MYAPPlogs/$HOST/$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_MYAPP); destination(d_MYAPP); };
#source external { tcp(); };
#source external { udp(); };
#destination d_hosts { file("/home/syslog/$HOST/application.log" owner("syslog") group("syslog") perm(0600)); };
destination d_mesg { file("/var/log/messages"); };
#destination d_cons { file("/dev/console"); };
#destination d_auth { file("/var/log/secure"); };
#destination d_mail { file("/var/log/maillog" flush_lines(10)); };
#destination d_spol { file("/var/log/spooler"); };
#destination d_boot { file("/var/log/boot.log"); };
#destination d_cron { file("/var/log/cron"); };
#destination d_kern { file("/var/log/kern"); };
#destination d_mlal { usertty("*"); };
#destination d_all { file("/var/log/splunk"); };
log { source(s_sys); destination(d_mesg); };
#log { source(external); destination(d_hosts); };
From: Christian Turner
Sent: Wednesday, August 3, 2016 11:53 AM
To: 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
Subject: RE: sylog-ng filters not working
Hi,
I have the following filter configured;
source src_devenv01 { udp(ip(0.0.0.0) port(514)); };
filter f_devenv01_04net { netmask(10.22.209.0/24); };
destination d_devenv_04net { file("/mnt/syslogng/p2alogs/DEVENV/04net-$HOST-$YEAR$MONTH$DAY.log"); };
log { source(src_devenv01); filter(f_devenv_04net); destination(d_devenv_04net); flags(final); };
However, the filter does not work, and the logs from this source all go to the generic logging destination.
I perform an strace and I can see that the IP appears as expected, so I'm figuring I have a syntax error somewhere;
[pid 28481] recvfrom(11, "<182>1 2016-08-03T10:27:50.645062-04:00 ::1 [[REDACTED]]..., 8192, 0, {sa_family=AF_INET, sin_port=htons(58785), sin_addr=inet_addr("10.22.209.10")}, [16]) = 265
Christian Turner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160803/cbfb7d41/attachment-0001.htm
More information about the syslog-ng
mailing list