[ale] Two syslog-ng questions

John Mills johnmills at speakeasy.net
Mon Jun 7 17:15:45 EDT 2010


ALErs -

I use 'syslog-ng' to capture and separate log messages sent to a central 
server from several "systems under test". I defined a 'source' for 
incoming syslog traffic:

source ext_src( udp(ip("0.0.0.0" port(514)); };

I have an pair of explicit filter rules:

filter f_mybaby { host("<hostname>"); };
filter f_notmybaby { not host("<hostname>"); };

and use them in two 'log' statements driven by the same 'source' and 
divert the messages into two log files:

  a. /var/log/mybaby.log
  b. /var/log/net_logs.log

This works but it won't scale well for me.

Question 1:
  I wasn't able to set up the chain to select by sending IP, but I would 
prefer the unit's IP that to my present '<hostname>' form. (I had to look 
at the log to learn what hostname my test unit was actually awarded.)

  How can I do the screening on IP instead of <hostname>?

Question 2:
  Ultimately I would like a more agile way to configure the capture. It 
sounds like syslog-ng's "send to program" feature could be a good choice, 
and my screening program could effectively 'grep' or sort against some 
file contents or environmental string I could change as needed.

  How have other folks dealt with the problem of capturing somewhat 
volatile test data using 'syslog-ng'? General suggestions and approaches 
welcome.

TIA.

  - Mills



More information about the Ale mailing list