Filtering by Host and Message in syslog-ng

I had a requirement to filter logs by source IP and by part of the messages, sending them off to another file. Proof of concept was done as follows:

– Single source IP for logs
– Match two source subnets in message text

Configuration in /etc/syslog-ng.conf is:

source s_net {
       tcp(max-connections(10));
       udp();
};

destination d_test { file ("/var/log/test.log"); };

filter f_test { (netmask(178.79.153.178/32)) and
                    (message("Client IP: 10\.1\.1\.*") or
                     message("Client IP: 10\.10\.10\.*")) 
};

log { source(s_sys); filter(f_test); destination(d_test); };

This separates out logs containing the specific Client IP addresses and doesn’t seem to hit CPU too hard. Netmask was used rather than host to avoid any issues with hostnames being resolved and then not matching the filter.

Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *