How do I specify a unique host as source?

[HelpdeskMonkey]

Our syslog-ng server is configured with one source that captures all local and remote logs. This actually works fine because our client servers that run syslogd have fairly simple configs.

The problem is with our new PGP Universal server. It uses syslog-ng with a series of program specific filters that our syslog-ng server doesn't know what to do with. I am forbidden from changing the PGP conf files or we void our support contract, in addition to the fact that they all get re-written to defaults whenever it reboots. I also can't change the whole way we do our syslog stuff for just one server. What I want to do is separate out the PGP server from the rest of the servers.

The PGP server is going to send everything across port 514 to the syslog-ng server and I can't change that. The syslog-ng server is going to have one source that captures all local and remote logs and I can't change that either (our linux admin is like all linux admins so he won't budge there).

Can I create a second source that defines the PGP server, or will that conflict with the current source that's a catch all? How do I exclude a host from the catch-all source and free it up to be defined? In addition, how do I deal with the program specific filters? Does syslog-ng just pass on the filter name and I can catch it that way? It's not using any of the local0-7 facilities, it's creating it's own custom source listening to a specific port across /dev/log and applying it's own program specific filters.

I'm also a little confused as to how things look when the syslog-ng server is receiving log files. If the PGP server has it's source defined as s_local, but the syslog-ng server has it's source defined as just local, does it pick up the messages? Or does that not matter and it's just transferring over based on the facility it's using. This is how the PGP filters look.

#
# PGP-specific filters
#
filter f_proxy { program("pgp/messaging"); };
filter f_backup { program("pgp/backup"); };
filter f_update { program("pgp/update"); };
filter f_cluster { program("pgp/cluster"); };
filter f_datalayer { program("pgp/datalayer"); };
filter f_client { program("pgp/client"); };
filter f_mailfilter { program("pgp/mailfilter"); };
filter f_tcpwrapper { program("pgp/tcpwrapper"); };
filter f_tokend { program("pgp/tokend"); };
filter f_sdkrmiservice { program("pgp/sdkrmiservice"); };
filter f_admin { program("pgp/admin"); };
filter f_wm { program("pgp/wm"); };
filter f_vkd { program("pgp/vkd"); };
filter f_pgp { program("pgp/"); };

[Admin]

Let's take this one thing at a time...

Can I create a second source that defines the PGP server, or will that conflict with the current source that's a catch all? How do I exclude a host from the catch-all source and free it up to be defined? In addition, how do I deal with the program specific filters?

Yes, this is pretty easy.  I am assuming that the syslog-ng server is not the same server as the PGP server.  On your syslog-ng server, you'll need a config that basically looks like this:

Code:

source s_net { ip(); };

filter f_pgp { netmask(192.168.0.5); };
filter f_not_php { not netmask(192.168.0.5); };
destination d_pgp{ file("/var/log/pgp"); };
destination d_messages { file("/var/log/messages"); };
log {source(s_net); filter(f_pgp); destination(d_pgp); };
log {source(s_net); filter(f_not_pgp); destination(d_messages); };

In addition, how do I deal with the program specific filters? Does syslog-ng just pass on the filter name and I can catch it that way? It's not using any of the local0-7 facilities, it's creating it's own custom source listening to a specific port across /dev/log and applying it's own program specific filters.

No, it doesn't pass on the filters.  But, I *think* that the program filters may work on the syslog-ng server.  The program filter is simply looking at a specific part of a syslog message for some text, and runs a compare on that text.

So, if you are wanting to separate those logs out by program type, the way it is done on the PGP server, you can try copying the filters over to the syslog-ng server.  If they don't work, we'll have to take a look at the content of some of the logs to see if we can build alternate filters using the match() command.

[HelpdeskMonkey]

Thanks for the reply, so if I understand you correctly then I would configure something like this?

# PGP Server specific filters
#
filter f_pgp_host { netmask("192.168.1.100/255.255.255.0") ; }
filter f_pgp_proxy { program("pgp/messaging"); };
filter f_pgp_backup { program("pgp/backup"); };
filter f_pgp_update { program("pgp/update"); };
filter f_pgp_cluster { program("pgp/cluster"); };
filter f_pgp_datalayer { program("pgp/datalayer"); };
filter f_pgp_client { program("pgp/client"); };
filter f_pgp_mailfilter { program("pgp/mailfilter"); };
filter f_pgp_tcpwrapper { program("pgp/tcpwrapper"); };
filter f_pgp_tokend { program("pgp/tokend"); };
filter f_pgp_sdkrmiservice { program("pgp/sdkrmiservice"); };
filter f_pgp_admin { program("pgp/admin"); };
filter f_pgp_wm { program("pgp/wm"); };
filter f_pgp_vkd { program("pgp/vkd"); };
filter f_pgp_pgp { program("pgp/"); };
 
# PGP Server specific destination
#
destination d_pgp_proxy {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/proxy.log"
        );
destination d_pgp_backup {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/backup.log"
        );
destination d_pgp_update {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/update.log"
        );
destination d_pgp_cluster {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/cluster.log"
        );
destination d_pgp_datalayer {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/datalayer.log"
        );
destination d_pgp_client {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/client.log"
        );
destination d_pgp_mailfilter {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/mailfilter.log"
        );
destination d_pgp_tcpwrapper {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/tcpwrapper.log"
        );
destination d_pgp_tokend {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/tokend.log"
        );
destination d_pgp_sdkrmiservice {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/sdkrmiservice.log"
        );
destination d_pgp_admin {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/admin.log"
        );
destination d_pgp_wm {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/wm.log"
        );
destination d_pgp_vkd {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/vkd.log"
        );
destination d_pgp_pgp {
        file("/local/Sys_Logs/$HOST/$R_YEAR-$R_MONTH-$R_DAY/pgp.log"
        );
 
# PGP Server specific log statments
#
log { source(local); filter(f_pgp_host); filter(f_pgp_proxy); destination (d_pgp_proxy); };
log { source(local); filter(f_pgp_host); filter(f_pgp_backup); destination (d_pgp_backup); };
log { source(local); filter(f_pgp_host); filter(f_pgp_update); destination (d_pgp_update); };
log { source(local); filter(f_pgp_host); filter(f_pgp_cluster); destination (d_pgp_cluster); };
log { source(local); filter(f_pgp_host); filter(f_pgp_datalayer); destination (d_pgp_datalayer); };
log { source(local); filter(f_pgp_host); filter(f_pgp_client); destination (d_pgp_client); };
log { source(local); filter(f_pgp_host); filter(f_pgp_mailfilter); destination (d_pgp_mailfilter); };
log { source(local); filter(f_pgp_host); filter(f_pgp_tcpwrapper); destination (d_pgp_tcpwrapper); };
log { source(local); filter(f_pgp_host); filter(f_pgp_tokend); destination (d_pgp_tokend); };
log { source(local); filter(f_pgp_host); filter(f_pgp_sdkrmiservice); destination (d_pgp_sdkrmiservice); };
log { source(local); filter(f_pgp_host); filter(f_pgp_admin); destination (d_pgp_admin); };
log { source(local); filter(f_pgp_host); filter(f_pgp_wm); destination (d_pgp_wm); };
log { source(local); filter(f_pgp_host); filter(f_pgp_vkd); destination (d_pgp_vkd); };
log { source(local); filter(f_pgp_host); filter(f_pgp_pgp); destination (d_pgp_pgp); };

[Admin]

without trying to actually load that config, yes, it looks correct.

[HelpdeskMonkey]

it works!

i had some syntax errors above, the host filter needed a ; at the end and all the destinations needed }; as well but when I fixed those and reloaded the config everything went to where it should.

Thanks again!

[Admin]

awesome!  happy to help.