[syslog-ng] syslog-ng.conf filter not working

Lin, Victor victor.lin at rbc.com
Sat Mar 23 15:38:22 UTC 2019


Dear All,

   I am trying to forwarding all cisco IOS and Nexus to remote server
Here is from my syslog-ng.conf

*********************
# Syslog collection for all devices
source s_network {
        network(
                transport("udp")
                port(514)
                flags(syslog_protocol)
                keep_hostname(yes)
                keep_timestamp(yes)
                use_dns(no)
                use_fqdn(no)
        );
};

destination d_all_logs {
        file("/app/syslog-ng/My_custom/My_output/all_devices.log");
};
#All syslogs
log {
        source(s_network);
        destination(d_all_logs);
};

*****************************
#Cisco to elastic Mar.22.2019
destination d_cisco_logs {
       file("/app/syslog-ng/My_custom/My_output/cisco.log");
       network("10.20.30.44" port(2514) transport(udp) spoof_source(yes));
};
*****************************************
#Cisco logs to elastic Mar.22.2019

log {
        source(s_network);
        filter(f_cisco_message);
        destination(d_cisco_logs);
};
***********************************
#Cisco to elastic  Mar.22.2019
filter f_cisco_message {
        match ("Cisco IOS", value ("MESSAGE"));
or
match ("Cisco Nexus", value ("MESSAGE"));
         };


But looks like cisco.log is never have any data inside.
Below is from

Could you please review my config and advice ?

Thank you so much for your reply in advance!

VL



_______________________________________________________________________
If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.  

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190323/73ca998e/attachment.html>


More information about the syslog-ng mailing list