[syslog-ng] Syslog-ng Questions
Fekete, Róbert
robert.fekete at balabit.com
Wed Feb 22 14:03:42 UTC 2017
Hi,
To achieve something like that, you have to use junctions.
You'll have one source with flags(no-parse), then embed a filter+parser
junction to process regular syslog messages, and another junction to
process the ones you cannot parse.
For details, see the 8.3 example at https://www.balabit.com/
documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/
junctions.html and
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/parser-syslog.html
HTH,
Robert
On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <
syslog-ng at balabit.com> wrote:
>
> Is it possible to configure multiple sources, one with flags(no-parse) and
> one without?
>
>
>
> e.g.
>
>
>
> source *s_syslog-ports* {
>
> udp(port(514));
>
> tcp(port(1514) max-connections(100));
>
> tcp(port(514) max-connections(100));
>
> };
>
>
>
> source *s_syslog_np-ports *{
>
> udp(port(514) flags(no-parse));
>
> tcp(port(1514) max-connections(100) flags(no-parse));
>
> tcp(port(514) max-connections(100) flags(no-parse));
>
> };
>
>
>
> filter f_Cisco-router { in-list("/etc/syslog-ng/filter/Cisco-router.txt",
> value("SOURCEIP")); };
>
> destination d_Cisco-router {file("/var/log/IT/network/
> router/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log"
> template(t_message-only));};
>
> log {source(*s_syslog-ports*); filter(f_Cisco-router);
> destination(d_Cisco-router);};
>
>
>
> filter f_Cisco-switch { in-list("/etc/syslog-ng/filter/Cisco-switch.txt",
> value("SOURCEIP")); };
>
> destination d_Cisco-switch {file("/var/log/IT/network/
> switch/cisco/${SOURCEIP}/${SOURCEIP}-${YEAR}${MONTH}${DAY}.log"
> template(t_message-only));};
>
> log {source(*s_syslog_np-ports*); filter(f_Cisco-switch);
> destination(d_Cisco-switch);};
>
>
>
> Whenever I do this, I get an error message when restarting the service.
>
> “Job for syslog-ng.service failed because the control process exited with
> error code. See "systemctl status syslog-ng.service" and "journalctl -xe"
> for details.”
>
> “Cannot add dependency job for unit microcode.service, ignoring: Unit is
> not loaded properly: Invalid argument.”
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170222/8511913a/attachment-0001.html>
More information about the syslog-ng
mailing list