[syslog-ng] Forcing remote syslog request from 1 IP into 1 log file

Nagy, Gábor gabor.nagy at oneidentity.com
Fri Jul 27 11:13:59 UTC 2018


Hi,

What would an example message look like?
2018-07-24T16:12:20+02:00 WAN(11) Connection: Wan link down.
What kind of source driver do you use in your configuration?

I have one idea only:
- don't use HOST field, but HOST_FROM if the separate messages are coming
from different hosts and not from a relay.

I see it is similar to Fabien's.

Regards,
Gabor

On Fri, Jul 27, 2018 at 1:03 PM Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi,
>
> On Fri, Jul 27, 2018 at 11:55:42AM +0200, freebsd at tango.lu wrote:
> > How do I force all the logs into one logfile for this one specific host?
> > If possible I don't want to change my current rules just extend them.
>
> You could use the SOURCEIP macro or the netmask filter.
> There are multiple ways to achieve what you ask, many depending on the
> syslog-ng version you use and on your config. The most compatible way to do
> it is probably using a separate log path:
>
>     log {
>       source(s_syslog);
>       filter {
>         netmask(10.0.0.1/32)
>       };
>       destination(d_net_some_host);
>       flags(final);
>     };
>
> Notice the "final" flag which makes sure the message won't make it to other
> log paths.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180727/35e14916/attachment.html>


More information about the syslog-ng mailing list