[syslog-ng] Filtering Destination by Source

Balazs Scheidler bazsi77 at gmail.com
Tue Jan 12 17:06:27 UTC 2021


There's an in-list() filter iirc for that purpose.

Also there's a Splunk Collector for syslog, which is syslog-ng based. It
might be useful to check out how that approaches the sourcetype problem,
even if you end up using something different.

https://splunkbase.splunk.com/app/4740/

The native syslog-ng solution would be to use app-parser() and IP based
filtering to map fields to Splunk. App-parser() can hide details such as
db-parser or kv-parser on an app by app basis.

On Tue, Jan 12, 2021, 16:59 Peter Griggs <peter at petergriggs.co.uk> wrote:

> Hiya,
>
>
>
> Thanks for this – most useful.
>
>
>
> Is it possible to lookup the IP Addresses from a list (we are likely to be
> talking in the range of hundreds of addresses)
>
>
>
> Thanks
>
> Pete.
>
>
>
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> *On Behalf Of *Attila
> Szakacs (aszakacs)
> *Sent:* 12 January 2021 14:11
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Filtering Destination by Source
>
>
>
> Hi Peter,
>
>
>
> If the decision can be made with the source IP or hostname, it is pretty
> easy to do.
>
>
>
> You can create multiple filters, each corresponding to one known source
> IP: netmask(), or hostname: host().
>
> Then you can create embedded log statements. Don't forget to add
> flags(final), or it will flow through that branch.
>
>
>
> An example configuration:
>
> @version: 3.30
>
>
>
> # One network source, which collects logs from various hosts
>
> source s_network {
>
>     network(port(12345));
>
> };
>
>
>
> # One known host, with the IP 127.0.0.1
>
> filter f_host1 {
>
>     netmask("127.0.0.1");
>
> };
>
>
>
> # Another known host with the IP 127.0.0.2
>
> filter f_host2 {
>
>     netmask("127.0.0.2");
>
> };
>
>
>
> # The destination, where host1's logs will be forwarded to
>
> destination d_network1 {
>
>     network("localhost" port(23456));
>
> };
>
>
>
> # The destination, where host2's logs will be forwarded to
>
> destination d_network2 {
>
>     network("localhost" port(23457));
>
> };
>
>
>
> log {
>
>     source(s_network);
>
>
>
>     # First branch, for host1 -> destination1
>
>     log {
>
>         filter(f_host1);
>
>         destination(d_network1);
>
>         flags(final); # Don't forget to stop processing
>
>     };
>
>
>
>     # Second branch, for host2 -> destination2
>
>     log {
>
>         filter(f_host2);
>
>         destination(d_network2);
>
>         flags(final); # Don't forget to stop processing
>
>     };
>
> };
>
>
>
> You can use inline filters too, if it is more convenient. With this, you
> do not need to define f_host1 and f_host2:
>
> log {
>
>     source(s_network);
>
>
>
>     # First branch, for 127.0.0.1 -> destination1
>
>     log {
>
>         filter { netmask("127.0.0.1"); };
>
>         destination(d_network1);
>
>         flags(final); # Don't forget to stop processing
>
>     };
>
>
>
>     # Second branch, for 127.0.0.2 -> destination2
>
>     log {
>
>         filter { netmask("127.0.0.2"); };
>
>         destination(d_network2);
>
>         flags(final); # Don't forget to stop processing
>
>     };
>
> };
>
>
>
> Cheers,
>
> Attila
> ------------------------------
>
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Peter
> Griggs <peter at petergriggs.co.uk>
> *Sent:* Tuesday, January 12, 2021 2:31 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Filtering Destination by Source
>
>
>
> *CAUTION:* This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
>
>
> Hello,
>
>
>
> We have a lot of network logs all being pointed to a central syslog
> however this is a mix of vendors (Cisco / Juniper / Checkpoint) etc. is
> there a way of splitting the destination file by vendor type / or source IP
> address? We ingest this data into Splunk so want to get the source typing
> right however I am unable to get the sources to point to various listeners
> and I would prefer.
>
>
>
> Thanks
>
> Peter.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210112/5b90d225/attachment-0001.html>


More information about the syslog-ng mailing list