[SOLVED] Syslog-ng :: Filter internal logs

Rahil Parikh · 10-18-2011, 03:52 PM

Hi,

I am trying to setup a test lab where there will be two syslog-ng (v2) servers. Each is sending it's own logs (host specific + internal syslog-ng) logs to the other syslog server.

How can receiving host identify if it's a normal log or syslog-ng internal log?

Thanks for help!

Reuti · 10-19-2011, 06:24 AM

What do you mean by “normal log”? You could define separate sources for the local logs and the ones received via network.

Rahil Parikh · 10-19-2011, 09:06 AM

Thanks for reply! Sorry if I was not clear at first.

What I meant was --

SERVER1 will send its own syslog-ng's internal logs ( i.e. logs generated by syslog-ng daemon ) to SERVER2 in addition to normal logs ( i.e. logs under /var/log ). I want SERVER2 to be able to distinguish between SERVER1's internal logs and other logs from that system.

I hope this will help.

Thanks!

Reuti · 10-19-2011, 09:12 AM

Don’t enable udp in the normal source src {...}; statement, but make an extra one like:

Code:

source foobar {
        udp(ip("192.168.123.123") port(514));
};

Then you can use this source for the log statements.

Rahil Parikh · 10-19-2011, 09:23 AM

Thanks Reuti! But, SERVER1 will send all other types of log ( i.e. auth, kern, cron etc... ) as well as messages generated by driver 'internal()'. That's why I don't know how to distinguish between other/normal logs and 'internal' logs.

ptrivino · 10-19-2011, 10:08 AM

Perhaps "tag" the logs leaving Server1?

Reuti · 10-19-2011, 10:30 AM

The internally generated ones are the ones with the program name syslog-ng for which you can define a filter, and the “-- MARK --” entries. You could also define two sources at SERVER1 and route them to two different ports at the destination.

Rahil Parikh · 10-21-2011, 10:08 AM

Thanks for replies! I think I will be using some special port for syslog-ng internal() messages.