[ale] Two syslog-ng questions
John Mills
johnmills at speakeasy.net
Mon Jun 7 17:15:45 EDT 2010
ALErs -
I use 'syslog-ng' to capture and separate log messages sent to a central
server from several "systems under test". I defined a 'source' for
incoming syslog traffic:
source ext_src( udp(ip("0.0.0.0" port(514)); };
I have an pair of explicit filter rules:
filter f_mybaby { host("<hostname>"); };
filter f_notmybaby { not host("<hostname>"); };
and use them in two 'log' statements driven by the same 'source' and
divert the messages into two log files:
a. /var/log/mybaby.log
b. /var/log/net_logs.log
This works but it won't scale well for me.
Question 1:
I wasn't able to set up the chain to select by sending IP, but I would
prefer the unit's IP that to my present '<hostname>' form. (I had to look
at the log to learn what hostname my test unit was actually awarded.)
How can I do the screening on IP instead of <hostname>?
Question 2:
Ultimately I would like a more agile way to configure the capture. It
sounds like syslog-ng's "send to program" feature could be a good choice,
and my screening program could effectively 'grep' or sort against some
file contents or environmental string I could change as needed.
How have other folks dealt with the problem of capturing somewhat
volatile test data using 'syslog-ng'? General suggestions and approaches
welcome.
TIA.
- Mills
More information about the Ale
mailing list