Getting syslog-ng to filter messages by source IP address I received a call this week from one of our network guys

because messages from several network devices werent being logged by our centralized log server. When I started debugging the issue, I noticed that traffic from the hosts (host1 in this example) was making it to our syslog-ng server:

$ tcpdump -i eth0 host host1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:22:01.672377 host1.65093 > syslog.syslog: SYSLOG local4.error, length: 108 09:22:06.904446 host1.65093 > syslog.syslog: SYSLOG local4.notice, length: 128 While the traffic was making it to the server, the syslog messages were not being matched against a rule we had defined. Being the curious guy I am, I decided to read the syslog RFC to get a better understanding of the syslog message format. If you arent familiar with syslog messages, they take the following form: <PRI> <HEADER> <MSG> The PRI section contains the facility and priority, the HEADER section contains a timestamp and the hostname or IP address of the device, and the MSG section contains the message the host is trying to send to the server. When I dumped one of the syslog message as a raw string of bytes, I noticed that the hostname field didnt match the expression we were trying to match against. For reference, here is the expression we were using (FYI: the host() directive matches against the hostname in the syslog message, not the source IP address in the IP datagram): filter f_web_hosts { (host(192.168.0.25)) }; Since the hostname and source IP address were different, the rule didnt match. To get this to work correctly, I needed to use a netmask() statement to filter based on the source IP address in the IP datagram: filter f_web_hosts { (netmask(192.168.0.25/32)) };

Once this rule was in place, everything worked as expected! Rock on! matty on March 2, 2010 | Filed Under syslog-ng

Poster on January 4th, 2011 This saved my week, I really appreciate you posting this. I inherited our companies two syslog servers that hadnt been touched for years and was told make sure everything works. As soon as our event management team found out that someone owned them they set the dogs on me, they wanted tons of feeds that failed months or years ago. Pulled my hair out trying to find out why some of them werent workingmost of them because you cant control whether or not the message has the host ip or name. Thanks again Matt!

satmaca on July 13th, 2011 i have same problem too. i use same netmask filter but still diffrenet hosts messag came in same destination log file. my config;

destination distlayer { file(yedek/syslogs/dl); }; filter DL_Montaj { netmask(10.99.0.141/255.255.255.255); }; log { source(net); filter(DL_Montaj); destination(distlayer); }; syslog capture: satmaca@gcknw105:~> tail -100 /yedek/syslogs/dl Jul 11 08:24:29 10.16.6.25 :Link Up Trap for Unit/Port: 1 / 13 Jul 11 08:24:34 10.16.6.25 :Link Down Trap for Unit/Port: 1 / 13 Jul 11 08:24:35 10.16.6.25 :Link Up Trap for Unit/Port: 1 / 13