LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-02-2009, 04:29 PM   #1
emmitt1219
LQ Newbie
 
Registered: Aug 2004
Posts: 12

Rep: Reputation: 0
Syslog Content Based Filtering


Is there a way to perform a content based filtering with syslog? Maybe a particular implementation that does content based filtering or some way to filter out the log files outside of the implementation itself?
 
Old 07-02-2009, 04:35 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
i think that language like "content based filtering" is probably a little too grand as it's normally related to enterprise Layer 7 load balancing and such, but I think I know what you mean, in which case check out syslog-ng with it's "match()" functionality.
 
Old 07-09-2009, 06:33 PM   #3
emmitt1219
LQ Newbie
 
Registered: Aug 2004
Posts: 12

Original Poster
Rep: Reputation: 0
Thank you for your reply. My apology. I am a bit new to the world of network, so please bear with me.

I have in fact tried syslog-ng from balabit. However, I ran into issues with that implementation.

Here is a sample of the syslog-ng messages my router sends to my syslog server:
<133>Jul 02 10:49:45 default-system-log [audit][notice] TEST!!!


As you can see, the third param "default-system-log" is in a spot where the host name usually resides. I want to be able to filter on this field. However, it seems that with syslog-ng, they discard this field and replace it with the actual ip. I have tried various different macros such as $HOST, $HOST_FROM, $FULLHOST, etc. All these macros end up printing out either the ip or the dns name of the hosts. None returns the actual string that I have passed in the host field in the actual syslog message. Any idea how to get to that attribute? Should I pursue a different syslog implementation, like rsyslog?
 
Old 07-10-2009, 04:43 PM   #4
emmitt1219
LQ Newbie
 
Registered: Aug 2004
Posts: 12

Original Poster
Rep: Reputation: 0
I have found the solution.

In the source definition of the syslog-ng configuration, the param "keep-alive(yes)" needs to be enabled. Once that is enabled, the string I am passing through the host param becomes available for matching and logging. That solves the problem. Thanks for your help, acid_kewpie!
 
Old 07-11-2009, 02:04 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
enabling a keep-alive won't change the data saved to a log file. There must be a different change you made to, e.g. setting keep_hostname(no) and chain_hostname(yes), or setting a bad_hostname to filter out the non-hostname you have

Last edited by acid_kewpie; 07-11-2009 at 02:05 AM.
 
Old 07-11-2009, 06:06 PM   #6
emmitt1219
LQ Newbie
 
Registered: Aug 2004
Posts: 12

Original Poster
Rep: Reputation: 0
My apology. I meant "keep_hostname(yes)".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Content Filtering priyadarshan Linux - Security 6 06-23-2009 02:50 AM
Content Filtering without a Proxy mikes63737 Linux - Networking 5 03-02-2008 07:42 PM
What is 'content filtering'? rsean LQ Articles Discussion 1 07-26-2007 11:44 PM
Content Filtering metallica1973 Linux - Security 6 12-29-2006 08:28 PM
Content Filtering using Squid toraghun Red Hat 3 11-10-2005 10:42 PM


All times are GMT -5. The time now is 08:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration