I’m trying to setup a syslog-ng server and it’s sort of working. The intent is to receive syslog messages from other servers and sort them on the syslog server based on the incoming IP address of the server/device/appliance that is sending them. So I want a separate log file for each system.
I setup a external source directive in syslog-ng.conf
source extsrc {
udp(ip(“X.X.X.X”) port(514));
};
then I setup 2 files that are included and in the main syslog-ng.conf (verified that they are included properly)
each have a filter, destination and log directive (in this order)
The destination & log directives appear to be fine. It’s the filter I’m having trouble with in both files.
In each the filter is setup as such
(DNS lookup is NOT enabled)
filter f_name { host( or host(""); };
problem I’m having is syslog messages I’m receiving are being written to all the log files not just the one I want it in. It’s as if the filter isn’t even there.
Any help would be great.
Thanks
On 29/03/18 15:44, cisaksen wrote:
[color=blue]
I’m trying to setup a syslog-ng server and it’s sort of working. The
intent is to receive syslog messages from other servers and sort them on
the syslog server based on the incoming IP address of the
server/device/appliance that is sending them. So I want a separate log
file for each system.
I setup a external source directive in syslog-ng.conf
source extsrc {
udp(ip(“X.X.X.X”) port(514));
};
then I setup 2 files that are included and in the main syslog-ng.conf
(verified that they are included properly)
each have a filter, destination and log directive (in this order)
The destination & log directives appear to be fine. It’s the filter I’m
having trouble with in both files.
In each the filter is setup as such
(DNS lookup is NOT enabled)
filter f_name { host( or host(“”); };
problem I’m having is syslog messages I’m receiving are being written to
all the log files not just the one I want it in. It’s as if the filter
isn’t even there.[/color]
Please can you clarify the above last paragraph - are the relevant
syslog messages being written to the separate log files (as required) as
well as all the other log files?
If so, that would suggest your filtering is working but that you haven’t
adjusted all the other log statements to _not_log if match new filter.
HTH.
Simon
SUSE Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
Easiest way would be to write it out.
File1
filter f_name1 { host( or host(""); };
destination d_name1 { file(/var/log/name1.log"); };
log { source(extsrc); destination(d_name1) filter(f_name1); };
File2
filter f_name2 { host( or host(""); };
destination d_name2 { file(/var/log/name2.log"); };
log { source(extsrc); destination(d_name2) filter(f_name2); };
If a syslog message comes in from ipaddress1 - it gets written to both logs. Now I’m not sure a IP address is usable in a host statement. Seen couple of articles on using netmask but there are some conflicting information regarding a match on ip vs a ip from a subnet.
On 29/03/18 17:54, cisaksen wrote:
[color=blue]
Easiest way would be to write it out.
File1
filter f_name1 { host( or host(“”); };
destination d_name1 { file(/var/log/name1.log"); };
log { source(extsrc); destination(d_name1) filter(f_name1); };
File2
filter f_name2 { host( or host(“”); };
destination d_name2 { file(/var/log/name2.log"); };
log { source(extsrc); destination(d_name2) filter(f_name2); };
If a syslog message comes in from ipaddress1 - it gets written to both
logs. Now I’m not sure a IP address is usable in a host statement.
Seen couple of articles on using netmask but there are some conflicting
information regarding a match on ip vs a ip from a subnet.[/color]
To match an IP address try using netmask(a.b.c.d/32) rather than host.
HTH.
Simon
SUSE Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
Ok I’ll try that, but I must misunderstand what the filter directive is.
My understanding is that a message must match the filter in order to be written to the specified log file ? Is this not correct ?
Ok - now I’m really confused-- I verified that a message must match the filter in order to be written to the specified log file.
Here is what is really interesting, I’m running syslog-ng interactively /usr/sbin/syslog-ng -Fevd per https://syslog-ng.com/documents/html/syslog-ng-ose-3.6-guides/en/syslog-ng-ose-guide-admin/html/chapter-troubleshooting-syslog-ng.html
to troubleshoot and what do I see but that the filters are in fact matching & not-matching respectively, but it is still writing the message to the log file even when it states that is not a match.
[2018-03-29T14:09:43.695449] Initializing destination file writer; template=’/var/log/syslog/name2.log’, filename=’/var/log/syslog/name2.log’
[2018-03-29T14:09:43.696451] Filter rule evaluation begins; rule=‘f_name2’, location=’/etc/syslog-ng/conf.d/name2.conf:7:18’
[2018-03-29T14:09:43.696469] Filter node evaluation result; result=‘not-match’
[2018-03-29T14:09:43.696478] Filter rule evaluation result; result=‘not-match’, rule=‘f_name2’, location=’/etc/syslog-ng/conf.d/name2.conf:7:18