Awesome, works like a champ. I have to say this syslog-ng is the cats
a55 in logging applications.
Thanks again.
~!>D
--- snip ------
filter f_local7 {
facility(local7) and level(debug..emerg);
};
filter f_pixm {
match("PIX");
};
filter f_misclocal7 {
filter (f_local7) and not filter(f_pixm);
};
filter f_iss {
match("issDaemon");
};
filter f_snmp {
match("ucd-snmp");
};
## Custom Logs
log { source(net); filter(f_pixm); destination(pix); };
log { source(net); filter(f_misclocal7); destination(local7); };
log { source(net); filter(f_iss); destination(iss); };
log { source(net); filter(f_snmp); destination(snmp); };
Rule, Ted wrote:
all levels
-----Original Message-----
From: syslog-ng-admin@xxxxxxxxxxxxxxxx
[mailto:syslog-ng-admin@xxxxxxxxxxxxxxxx] On Behalf Of cdowns
Sent: Wednesday 03 March 2004 14:38
To: syslog-ng@xxxxxxxxxxxxxxxx
Subject: RE: [syslog-ng]regex and priority(local7) question
I do have one quick question on the
filter f_local7 { facility(local7) and level(debug..emerg); };
does this mean it is grabbing all level between debug -
emerg, or just those 2 ?
thanks again.
~!>D
This config snippet works for me .... my PIXies are set to
log via TCP1468
rather than UDP/514.
Real IP Addresses replaced with fakes. As with your
situation, I have other
network
gear running on local7 as well. Syslog-ng's wonderful
filtration allows for
a nice separation
of all the classes of switch/router/firewall/VPN-bricks.
Ted
......
source local {
unix_stream("/dev/log" max-connections(200) keep-alive(yes) );
# UDP listeners for Internal syslog-ng interconnections
udp(ip(127.0.0.1) port(514));
udp(ip(1.2.3.4) port(514));
};
source pixtcp {
tcp(ip(1.2.3.4) port(1468)
max-connections(10) keep-alive(yes));
};
filter f_local7 { facility(local7) and level(debug..emerg); };
filter f_pixmsg { match("%PIX"); };
filter f_misclocal7 { filter(f_local7)
and not filter(f_pixmsg); };
destination d_local7 { file("/var/log/local7.debug" sync(0) ); };
destination d_pixlog { file("/var/log/pixlog.debug" sync(0) ); };
log { source(pixtcp);
filter(f_local7); filter(f_pixmsg); destination(d_pixlog); };
log { source(local); filter(f_misclocal7); destination(d_local7); };
......
-----Original Message-----
From: syslog-ng-admin@xxxxxxxxxxxxxxxx
[mailto:syslog-ng-admin@xxxxxxxxxxxxxxxx] On Behalf Of cdowns
Sent: Monday 01 March 2004 17:11
To: syslog-ng@xxxxxxxxxxxxxxxx
Subject: [syslog-ng]regex and priority(local7) question
Good Morning,
Im new to the list and have a couple questions.
I have a PIX firewalls logging on local7.info, how can I
match this
correctly ? I also have switches logging on local7.info but I
need this
one pix removed and placed into its own destination.
Where can i get a list of the regex syntax used in
syslog-ng ? like
perl / awk / grep etc.. .
Here is what I currently have:
------ Snip -------
## Regex
filter f_fw01 {
host("x.x.x.x") and match("PIX");
};
filter f_fw02 {
host("x.x.x.x") and match("PIX");
};
filter f_fw03 {
host("x.x.x.x") and match("PIX");
};
filter f_fw04 {
host("x.x.x.x") and match("PIX");
};
#!!! not working yet.. .
filter f_pix{
facility(local7) and match("%PIX*");
};
filter f_iss {
match("issDaemon");
};
filter f_snmp {
match("ucd-snmp");
};
## everything else incoming
filter f_local7 { facility(local7); };
----- snip ------
TIA.
~!>D
_______________________________________________
syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at
http://www.campin.net/syslog-ng/faq.html
**************************************************************
**********************************
This E-mail message, including any attachments, is intended
only for the
person
or entity to which it is addressed, and may contain confidential
information.
If you are not the intended recipient, any review, retransmission,
disclosure,
copying, modification or other use of this E-mail message or
attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the
author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in
this E-mail
message and any attachments are the author's own, and may not
reflect the
views
and opinions of FLEXTECH Television Limited.
**************************************************************
**********************************
_______________________________________________
syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________
syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
************************************************************************************************
_______________________________________________
syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________
syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at
http://www.campin.net/syslog-ng/faq.html
