LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Syslog Content Based Filtering (http://www.linuxquestions.org/questions/linux-newbie-8/syslog-content-based-filtering-737301/)

emmitt1219 07-02-2009 04:29 PM

Syslog Content Based Filtering
 
Is there a way to perform a content based filtering with syslog? Maybe a particular implementation that does content based filtering or some way to filter out the log files outside of the implementation itself?

acid_kewpie 07-02-2009 04:35 PM

i think that language like "content based filtering" is probably a little too grand as it's normally related to enterprise Layer 7 load balancing and such, but I think I know what you mean, in which case check out syslog-ng with it's "match()" functionality.

emmitt1219 07-09-2009 06:33 PM

Thank you for your reply. My apology. I am a bit new to the world of network, so please bear with me.

I have in fact tried syslog-ng from balabit. However, I ran into issues with that implementation.

Here is a sample of the syslog-ng messages my router sends to my syslog server:
<133>Jul 02 10:49:45 default-system-log [audit][notice] TEST!!!


As you can see, the third param "default-system-log" is in a spot where the host name usually resides. I want to be able to filter on this field. However, it seems that with syslog-ng, they discard this field and replace it with the actual ip. I have tried various different macros such as $HOST, $HOST_FROM, $FULLHOST, etc. All these macros end up printing out either the ip or the dns name of the hosts. None returns the actual string that I have passed in the host field in the actual syslog message. Any idea how to get to that attribute? Should I pursue a different syslog implementation, like rsyslog?

emmitt1219 07-10-2009 04:43 PM

I have found the solution.

In the source definition of the syslog-ng configuration, the param "keep-alive(yes)" needs to be enabled. Once that is enabled, the string I am passing through the host param becomes available for matching and logging. That solves the problem. Thanks for your help, acid_kewpie!

acid_kewpie 07-11-2009 02:04 AM

enabling a keep-alive won't change the data saved to a log file. There must be a different change you made to, e.g. setting keep_hostname(no) and chain_hostname(yes), or setting a bad_hostname to filter out the non-hostname you have

emmitt1219 07-11-2009 06:06 PM

My apology. I meant "keep_hostname(yes)".


All times are GMT -5. The time now is 01:09 PM.