syslog-ng and filter

SUSE Product Topics SLES Configure-Administer
1

I have a problem with my sylog-ng config file. I declare following lines:

source s_router {
        udp( port(514) );
};

destination d_router02 {
        file("/var/log/router/10.0.0.10" owner(root) group(users) perm(0640));
};

destination d_router03 {
        file("/var/log/router/10.0.0.11" owner(root) group(users) perm(0640));
};


destination d_router01 {
        file("/var/log/router/10.0.0.9" owner(root) group(users) perm(0640));
};

filter f_router01 { host("10.0.0.9"); };
filter f_router02 { host("10.0.0.10"); };
filter f_router03 { host("10.0.0.11"); };

log { source(s_router); filter(f_router01); destination(d_router01); };
log { source(s_router); filter(f_router02); destination(d_router02); };
log { source(s_router); filter(f_router03); destination(d_router03); };

but the result is that i have no entrys in the log file.
If i delete the filter(f_routerxx) entrys i have in all log files the same entrys!!

[UPDATE]
My System is SLES11 SP2
[/UPDATE]
Regards
Dirk

2

Hi Dirk,

but the result is that i have no entrys in the log file.

might it be that your routers’ IP addresses resolve to a host name and thus the filter expression does not match? What’s the “host name” part when you disable the filter(s) and look at the log file?

BTW: Depending on your goals, you might want to take a completely different approach:

source s_router { udp( port(514)); }; destination d_clients { file("/var/log/router/$HOST.log" owner(root) group(users) perm(0640)); }; log { source(s_remote); destination(d_clients); };

would create a log file per remote client all by itself. Of course, if you have other remote clients logging to that syslog, you’d not get their log files into distinct directories.

Regards,
Jens

3

Hi Jens,
your suggestion works for me already, but now i want 3 different logfiles for my 3 router. And i hoped to solve this with the filter option.

Regards
Dirk

4

[QUOTE=krid;19434]Hi Jens,
your suggestion works for me already, but now i want 3 different logfiles for my 3 router. And i hoped to solve this with the filter option.

Regards
Dirk[/QUOTE]

Hi Dirk,

I’m not sure I understand - first of all, which of my suggestions works? Secondly, the “file(”/var/log/router/$HOST.log")" syntax is exactly intended to create a log file per remote client - which is what your routers are, from syslog-ng’s point of view.

To help you with your filtering, I’d need the requested information (sample output, to determine which value the host filter has to work against).

Regards,
Jens

5

Hi Jens,
here my Steps to save the Logfiles on th syslog-ng server.

1.Step i put simple lines in the syslog-ng

source s_router { udp( port(514)); };
destination d_router { file("/var/log/router/$HOST.log" owner(root) group(users) perm(0640)); };
log { source(s_remote); destination(d_router); };

The goal was one Logfile with the DNS name. The Problem is that this Router have 2 DNS Entrys. If i restart the syslog-ng service the name of the logfile is changing, i have the same result if i use logrotate… Now i have 2 logfiles for 1 router. This is the reason that i will use the ip address in the name of the logfile!

source s_router { udp( port(514)); }; destination d_router { file("/var/log/router/10_0_0_1" owner(root) group(users) perm(0640)); }; log { source(s_remote); destination(d_router); };
Now i have one logfile for my router! Thats work’s great.

But now i have 2 more router!
I expand the lines above:

source s_router { udp( port(514)); }; destination d_router01 { udp( (ip "10.0.0.1") port(514)); file("/var/log/router/10_0_0_1" owner(root) group(users) perm(0640)); }; destination d_router02 { udp( (ip "10.0.0.2") port(514)); file("/var/log/router/10_0_0_2" owner(root) group(users) perm(0640)); }; destination d_router03 { udp( (ip "10.0.0.3") port(514)); file("/var/log/router/10_0_0_3" owner(root) group(users) perm(0640)); }; log { source(s_remote); destination(d_router01); }; log { source(s_remote); destination(d_router02); }; log { source(s_remote); destination(d_router03); };
Now the result is that i have 3 logfiles, with the same content!
For this reason i expand the syslog-ng.conf with the filter option:

source s_router { udp( port(514)); }; destination d_router01 { file("/var/log/router/10_0_0_1" owner(root) group(users) perm(0640)); }; destination d_router02 { file("/var/log/router/10_0_0_2" owner(root) group(users) perm(0640)); }; destination d_router03 { file("/var/log/router/10_0_0_3" owner(root) group(users) perm(0640)); }; filter f_router01 { host("10.0.0.1"); }; filter f_router01 { host("10.0.0.2"); }; filter f_router01 { host("10.0.0.3"); }; log { source(s_remote); filter(f_router01); destination(d_router01); }; log { source(s_remote); filter(f_router02); destination(d_router02); }; log { source(s_remote); filter(f_router03); destination(d_router03); };
Now i have no logfiles! :mad: Its looks as if the filter option don’t works!

I hope i have shown my problem understandable!

Regards
Dirk

6

Hi Dirk,

I hope i have shown my problem understandable!

yes, indeed. I didn’t know about the alternating DNS names, leading to switching file names…

Your filter rules most probably won’t catch because (as I tried to express earlier on) it will filter against the resolved host name - it seems to be a plain text filter, trying to match what syslog-ng determines to be the host section. So filtering for an IP address won’t get you anywhere - try to filter for what is reported as the host name(s) in the resulting syslog file.

To work against the “toggling DNS name” (which would affect filtering, too) you might consider to insert an IP/name pair into the syslogd’s /etc/hosts file and make sure that this file is checked first (via /etc/resolv.conf). I’ suspect that the routers’ DNS names won’t change that often, so adding that redundancy shouldn’t harm too much.

My recommendation would be to use the first version (using $HOST) after solving the toggling DNS entry issue.

Regards,
Jens

PS: Your second sample might create a message loop, depending on the router’s configuration: "

destination d_router01 { udp( (ip "10.0.0.1") port(514)); file("/var/log/router/10_0_0_1" owner(root) group(users) perm(0640)); };

will send the messages received from the router(s) both to the file and to the router… the latter may then be forwarding the message back to the syslogd, and so on…

7

On 20/02/2014 10:14, krid wrote:
[color=blue]

here my Steps to save the Logfiles on th syslog-ng server.

1.Step i put simple lines in the syslog-ng

Code:

source s_router { udp( port(514)); };
destination d_router { file(“/var/log/router/$HOST.log” owner(root) group(users) perm(0640)); };
log { source(s_remote); destination(d_router); };

The goal was one Logfile with the DNS name. The Problem is that this
Router have 2 DNS Entrys. If i restart the syslog-ng service the name of
the logfile is changing, i have the same result if i use logrotate… Now
i have 2 logfiles for 1 router. This is the reason that i will use the
ip address in the name of the logfile!

Code:

 source s_router { udp( port(514)); };

destination d_router { file(“/var/log/router/10_0_0_1” owner(root) group(users) perm(0640)); };
log { source(s_remote); destination(d_router); };

Now i have one logfile for my router! Thats work’s great.

But now i have 2 more router!
I expand the lines above:

Code:

 source s_router { udp( port(514)); };

destination d_router01 { udp( (ip “10.0.0.1”) port(514)); file(“/var/log/router/10_0_0_1” owner(root) group(users) perm(0640)); };
destination d_router02 { udp( (ip “10.0.0.2”) port(514)); file(“/var/log/router/10_0_0_2” owner(root) group(users) perm(0640)); };
destination d_router03 { udp( (ip “10.0.0.3”) port(514)); file(“/var/log/router/10_0_0_3” owner(root) group(users) perm(0640)); };
log { source(s_remote); destination(d_router01); };
log { source(s_remote); destination(d_router02); };
log { source(s_remote); destination(d_router03); };

Now the result is that i have 3 logfiles, with the same content!
For this reason i expand the syslog-ng.conf with the filter option:

Code:

 source s_router { udp( port(514)); };

destination d_router01 { file(“/var/log/router/10_0_0_1” owner(root) group(users) perm(0640)); };
destination d_router02 { file(“/var/log/router/10_0_0_2” owner(root) group(users) perm(0640)); };
destination d_router03 { file(“/var/log/router/10_0_0_3” owner(root) group(users) perm(0640)); };
filter f_router01 { host(“10.0.0.1”); };
filter f_router01 { host(“10.0.0.2”); };
filter f_router01 { host(“10.0.0.3”); };[/color]

For starters you’ve defined f_router01 three times and not f_router01,
f_router02, and f_router03 as I think you intended based on following.
[color=blue]

log { source(s_remote); filter(f_router01); destination(d_router01); };
log { source(s_remote); filter(f_router02); destination(d_router02); };
log { source(s_remote); filter(f_router03); destination(d_router03); };

Now i have no logfiles! :mad: Its looks as if the filter option don’t
works![/color]

I suspect the filter option is working but it’s not matching the
hostname - try

filter f_router01 { netmask(10.0.0.1/32); };
filter f_router02 { netmask(10.0.0.2/32); };
filter f_router03 { netmask(10.0.0.3/32); };

instead.

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

8

Hi Jens,
thanks for your explanation, i did not know that the filter only is a plain-text description . I change the /etc/hosts and the corresponding lines in the syslog-ng.conf and now it works!

Thanks and regards

Dirk

9

Hi Simon,
thanks for your repy. I tested your solution to and it works also perfectly!

Regards
Dirk