Syslog Content Based Filtering
 

Is there a way to perform a content based filtering with syslog? Maybe a particular implementation that does content based filtering or some way to filter out the log files outside of the implementation itself?

i think that language like "content based filtering" is probably a little too grand as it's normally related to enterprise Layer 7 load balancing and such, but I think I know what you mean, in which case check out syslog-ng with it's "match()" functionality.

Thank you for your reply. My apology. I am a bit new to the world of network, so please bear with me.

I have in fact tried syslog-ng from balabit. However, I ran into issues with that implementation.

Here is a sample of the syslog-ng messages my router sends to my syslog server:
<133>Jul 02 10:49:45 default-system-log [audit][notice] TEST!!!


As you can see, the third param "default-system-log" is in a spot where the host name usually resides. I want to be able to filter on this field. However, it seems that with syslog-ng, they discard this field and replace it with the actual ip. I have tried various different macros such as $HOST, $HOST_FROM, $FULLHOST, etc. All these macros end up printing out either the ip or the dns name of the hosts. None returns the actual string that I have passed in the host field in the actual syslog message. Any idea how to get to that attribute? Should I pursue a different syslog implementation, like rsyslog?

I have found the solution.

In the source definition of the syslog-ng configuration, the param "keep-alive(yes)" needs to be enabled. Once that is enabled, the string I am passing through the host param becomes available for matching and logging. That solves the problem. Thanks for your help, acid_kewpie!

enabling a keep-alive won't change the data saved to a log file. There must be a different change you made to, e.g. setting keep_hostname(no) and chain_hostname(yes), or setting a bad_hostname to filter out the non-hostname you have

My apology. I meant "keep_hostname(yes)".