[syslog-ng] How to get list of IPs

Fri May 12 17:54:53 UTC 2017

someone correct me if i’m wrong, but i don’t think there’s a good way to get this information directly from the syslog-ng daemon, especially if it’s restarted.  a more reliable way is to pull the data off disk.

depending on your log volume putting them into a database will allow you to easily do this with a single query.  i write about 20 million log lines into a mysql database every day so this should cover most use cases.  a query would look like one of these two (depends if you want a line count or not):

  mysql> select distinct host from syslog_table_20170511;
  mysql> select distinct host,count(*) as count from syslog_table_20170511 group by host order by count desc;

pulling from log files on disk is obviously takes longer to run but can be done with a one-liner like this:

  $ cat file.log | awk '{print $1}' | sort | uniq -c | sort -nr

another option is to write one log file per host and just run an ls to see which hosts have sent logs for the day, for example:

/loghost/YYYYMMDD/hostname.prv.log

the dynamic path can be setup using syslog-ng.

> On May 12, 2017, at 1:11 PM, Sathish Sundaravel <sathish.sundaravel at gmail.com> wrote:
> 
> Hi All
> 
> I have syslog Ng server running on Solaris platform and configured to receive or accept events from all unix servers in one single log file.
> 
> If I want to collect list of servers reporting to the log server , I have to manually extract list from a single log file which is too much time consuming . What would the best way ? 
> 
> Regards
> Sathish 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 