[syslog-ng] syslog-ng.conf filter not working
Péter, Kókai
peter.kokai at oneidentity.com
Wed Mar 27 07:34:20 UTC 2019
Hello,
Without knowing your logs, it is hard to say anything more. But I would be
really surprised if the issue is with *filter* not working.
You could always run syslog-ng at debug/trace level in order to track which
filter/destination is triggered with a message.
I don't want to push anything here, the only reason I write this note is
that I started sensing a mismatch of what the community can provide and
what you actually expect. If you disagree, just ignore the rest of this
email.
If this is needed for a critical production deployment, I would consider
the paid for syslog-ng Premium Edition offered by One Identity. The Open
Source version of syslog-ng is not supported by a professional support
team, community (that includes some of syslog-ng's developers) is usually
helping on a best effort basis. If you require faster answers (with SLAs),
patched binary packages, or more in-depth guidance, One Identity offers
paid support and/or consultancy services for syslog-ng. See
https://www.syslog-ng.com/register/115497/
Disclaimer: I am employed by One Identity (being a software engineer there).
--
Kokan
On Sat, Mar 23, 2019 at 4:38 PM Lin, Victor <victor.lin at rbc.com> wrote:
> Dear All,
>
> I am trying to forwarding all cisco IOS and Nexus to remote server
> Here is from my syslog-ng.conf
>
> *********************
> # Syslog collection for all devices
> source s_network {
> network(
> transport("udp")
> port(514)
> flags(syslog_protocol)
> keep_hostname(yes)
> keep_timestamp(yes)
> use_dns(no)
> use_fqdn(no)
> );
> };
>
> destination d_all_logs {
> file("/app/syslog-ng/My_custom/My_output/all_devices.log");
> };
> #All syslogs
> log {
> source(s_network);
> destination(d_all_logs);
> };
>
> *****************************
> #Cisco to elastic Mar.22.2019
> destination d_cisco_logs {
> file("/app/syslog-ng/My_custom/My_output/cisco.log");
> network("10.20.30.44" port(2514) transport(udp) spoof_source(yes));
> };
> *****************************************
> #Cisco logs to elastic Mar.22.2019
>
> log {
> source(s_network);
> filter(f_cisco_message);
> destination(d_cisco_logs);
> };
> ***********************************
> #Cisco to elastic Mar.22.2019
> filter f_cisco_message {
> match ("Cisco IOS", value ("MESSAGE"));
> or
> match ("Cisco Nexus", value ("MESSAGE"));
> };
>
>
> But looks like cisco.log is never have any data inside.
> Below is from
>
> Could you please review my config and advice ?
>
> Thank you so much for your reply in advance!
>
> VL
>
>
>
>
> _______________________________________________________________________
>
> If you received this email in error, please advise the sender (by return
> email or otherwise) immediately. You have consented to receive the attached
> electronically at the above-noted email address; please retain a copy of
> this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur
> immédiatement, par retour de courriel ou par un autre moyen. Vous avez
> accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à
> l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de
> cette confirmation pour les fins de reference future.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190327/87278ddb/attachment.html>
More information about the syslog-ng
mailing list