[syslog-ng] Forcing remote syslog request from 1 IP into 1 log file

Jim Hendrick james.r.hendrick at gmail.com
Fri Jul 27 15:58:39 UTC 2018


Try HOST_FROM instead of HOST

Possibly also try no-parse

Jim

On Fri, Jul 27, 2018, 5:55 AM <freebsd at tango.lu> wrote:

> Hello,
>
> I have a syslog server setup which works quite well for most of the
> hosts:
>
> destination d_net_debug {
> file("/var/log/$HOST/debug"); };
>
> destination d_net_error {
> file("/var/log/$HOST/error"); };
>
> This way I dont have to define every host which logs there but they will
> be autocreated.
>
> I have a quite misbehaving Asus router device however which keep sending
> strings like:
>
> FTP
> WAN(11)
> WAN(8)
> WAN(3)
>
> as host therefore syslog-ng interpret these messages like it would be
> coming from different $HOSTs and keep creating directories for them.
>
> 2018-07-22T20:45:59+02:00 WAN Connection: Wan link down.
> 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down.
> 2018-07-22T20:45:59+02:00 WAN Connection: Wan link down.
> 2018-07-24T16:12:20+02:00 WAN Connection: Wan link down.
>
>
> How do I force all the logs into one logfile for this one specific host?
> If possible I don't want to change my current rules just extend them.
>
> Thank you.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180727/d30697b3/attachment.html>


More information about the syslog-ng mailing list