[syslog-ng] Filtering Destination by Source

Peter Griggs peter at petergriggs.co.uk
Tue Jan 12 15:59:32 UTC 2021 

Hiya,

Thanks for this - most useful.

Is it possible to lookup the IP Addresses from a list (we are likely to be talking in the range of hundreds of addresses)

Thanks
Pete.

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Attila Szakacs (aszakacs)
Sent: 12 January 2021 14:11
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Filtering Destination by Source

Hi Peter,

If the decision can be made with the source IP or hostname, it is pretty easy to do.

You can create multiple filters, each corresponding to one known source IP: netmask(), or hostname: host().
Then you can create embedded log statements. Don't forget to add flags(final), or it will flow through that branch.

An example configuration:
@version: 3.30

# One network source, which collects logs from various hosts
source s_network {
    network(port(12345));
};

# One known host, with the IP 127.0.0.1
filter f_host1 {
    netmask("127.0.0.1");
};

# Another known host with the IP 127.0.0.2
filter f_host2 {
    netmask("127.0.0.2");
};

# The destination, where host1's logs will be forwarded to
destination d_network1 {
    network("localhost" port(23456));
};

# The destination, where host2's logs will be forwarded to
destination d_network2 {
    network("localhost" port(23457));
};

log {
    source(s_network);

    # First branch, for host1 -> destination1
    log {
        filter(f_host1);
        destination(d_network1);
        flags(final); # Don't forget to stop processing
    };

    # Second branch, for host2 -> destination2
    log {
        filter(f_host2);
        destination(d_network2);
        flags(final); # Don't forget to stop processing
    };
};

You can use inline filters too, if it is more convenient. With this, you do not need to define f_host1 and f_host2:
log {
    source(s_network);

    # First branch, for 127.0.0.1 -> destination1
    log {
        filter { netmask("127.0.0.1"); };
        destination(d_network1);
        flags(final); # Don't forget to stop processing
    };

    # Second branch, for 127.0.0.2 -> destination2
    log {
        filter { netmask("127.0.0.2"); };
        destination(d_network2);
        flags(final); # Don't forget to stop processing
    };
};

Cheers,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Peter Griggs <peter at petergriggs.co.uk<mailto:peter at petergriggs.co.uk>>
Sent: Tuesday, January 12, 2021 2:31 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Filtering Destination by Source

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hello,



We have a lot of network logs all being pointed to a central syslog however this is a mix of vendors (Cisco / Juniper / Checkpoint) etc. is there a way of splitting the destination file by vendor type / or source IP address? We ingest this data into Splunk so want to get the source typing right however I am unable to get the sources to point to various listeners and I would prefer.



Thanks

Peter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210112/f2be6e0d/attachment-0001.html>

More information about the syslog-ng mailing list