[syslog-ng] Help With filtering

Rose, Ed Ed_Rose at mentor.com
Thu Jul 19 17:58:15 UTC 2018


Hello All

I have syslog-ng 3.14 and I am trying to filter DNS logs.  I have this working in a very old 2.0.9 version of syslog-ng.  But it does not seem to want to work in the 3.14 environment.  Can anyone help me out as I am pretty new to administering syslog-ng.

Thanks
ed

 Below is my code:
##New BlueCat config that doesn't work
filter f_dhcpd { host(".*ddi-edns.*" flags(ignore-case)); and program("dhcpd"); };
destination d_dhcpd { file("/var/log2/gns-dmz/bluecat/${HOST}/dhcpd/log_${HOST}_dhcpd" perm(0640) group(splunk)); };
log { source(s_net); filter(f_dhcpd); destination(d_dhcpd); };

filter f_named { host(".*ddi-edns.*" flags(ignore-case)); and program("named"); };
destination d_named { file("/var/log2/gns-dmz/bluecat/${HOST}/named/log_${HOST}_named" perm(0640) group(splunk)); };
log { source(s_net); filter(f_named); destination(d_named); };

filter f_other { level(info, notice, warn, err, crit) and host(".*ddi-edns.*" flags(ignore-case)); and not program("dhcpd") and not program("named"); };
destination d_other { file("/var/log2/gns-dmz/bluecat/${HOST}/messages/log_${HOST}_messages" perm(0640) group(splunk)); };
log { source(s_net); filter(f_other); destination(d_other); };

##Old BlueCat config that works
#filter f_hsi-ddi-edns-1 { host("hsi-ddi-edns-1"); };
#filter f_ies-ddi-edns-1 { host("ies-ddi-edns-1"); };
#filter f_wv-ddi-edns-1 { host("wv-ddi-edns-1"); };

#destination d_hsi-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/hsi-ddi-edns-1/log_${HOST}"); };
#destination d_ies-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/ies-ddi-edns-1/log_${HOST}"); };
#destination d_wv-ddi-edns-1 { file("/var/log2/gns-dmz/bluecat/wv-ddi-edns-1/log_${HOST}"); };

#log { source(s_net); filter(f_hsi-ddi-edns-1); destination(d_hsi-ddi-edns-1); };
#log { source(s_net); filter(f_ies-ddi-edns-1); destination(d_ies-ddi-edns-1); };
#log { source(s_net); filter(f_wv-ddi-edns-1); destination(d_wv-ddi-edns-1); };
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180719/419ff779/attachment.html>


More information about the syslog-ng mailing list