[syslog-ng] Help With filtering
László Várady
laszlo.varady at balabit.com
Fri Jul 20 11:48:52 UTC 2018
Hi,
I have syslog-ng 3.14 and I am trying to filter DNS logs. I have this
> working in a very old 2.0.9 version of syslog-ng. But it does not seem to
> want to work in the 3.14 environment. Can anyone help me out as I am
> pretty new to administering syslog-ng.
>
Could you elaborate, please? What do you mean by "not seem to want to work"?
Does syslog-ng receive messages from s_net? You can verify it by starting
syslog-ng in debug mode from the command line:
$ sbin/syslog-ng -Fdev
Please share the output of this command.
If so, do your logs appear under /var/log2/gns-dmz/bluecat/?
If not, something is wrong with your filters or with file permissions.
I'm not familiar with syslog-ng 2.0, but I've tested your configuration
with syslog-ng 3.16. Let me share my tips:
1. It might be possible that the /var/log2/gns-dmz/bluecat/ directory does
not exist, so I added create-dirs(yes) to the configuration.
2. I assume that the hostname ".*ddi-edns.*" is part of the message
received from s_net, so I added keep-hostname(yes) to the config. If my
assumption is incorrect, you should set keep-hostname(no) and adjust
use-dns() and use-fqdn() according to your needs.
3. Make sure s_net is configured correctly, for example, if you want to
receive old BSD-style messages, use the network() driver, otherwise use the
syslog() driver for framed IETF-syslog messages.
For example:
@version: 3.16
@include "scl.conf"
options {
create-dirs(yes);
keep-hostname(yes);
};
source s_net {
network(port(4444));
};
// insert your previous config snippet here
My test input was "<133>Feb 24 14:04:04 test.ddi-edns.test dhcpd message".
--
László Várady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180720/7c44c9c9/attachment.html>
More information about the syslog-ng
mailing list