Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Syslog-ng and filters

So, over the weekend, I had to update 200 routers with SNMP configs, and point them to my SYSLOG server. Easy, right? Well, tedious, since half-way I figured I should have used EXPECT, but by then, I was already half-done.

Anyway, after all my work, I noticed that my syslogs were not receiving any logging. Doing a TCPDUMP showed I received the logs. Strange?

I have alot of filtering done in SYSLOG-NG. With my naming convention, all end-point access routers use [location]-arXX (where XX is the numbered router at that location). So, my filter for access routers is:

host(^.*-ar[0-9]{1,2}.*);

Well, after some searching, SYSLOG-NG actually does a reverse DNS lookup to determine the name, even though I have the hostname inside the log.

After adding 200+ reverse DNS entries, I finally got it working.

Advertisements

4 responses to “Syslog-ng and filters

  1. Aaron Paxson January 23, 2011 at 12:01 pm

    For those of you who are wondering…. ar=access router. Other’s are sr=service router (i.e. managed by a 3rd party service like Verizon or ISP) and cr=core router.

  2. Jason W January 23, 2011 at 12:51 pm

    FWIW- There is a syslog-ng option that tells it to trust the hostname sent in the packet. I’m not at work, so not easy for me to look at our config. Lemme know if you want me to. The syslog-ng manual is pretty decent.

    Also, what we do is separate servers from network gear by having each use a separate interface/IP for logging. Syslog-ng can listen on both and you can set up different log statements to send each to various places.

    • Aaron Paxson January 23, 2011 at 12:58 pm

      Thanks. I already have “keep_hostname(yes)” enabled, but I don’t think that is used in filters. I think it is only used if you want SYSLOG-NG to re-write the log that was received with the received hostname, rather than the hostname embedded in the log entry.

      I do like the idea of having syslog listen on multiple ip’s. That’s a good idea.

  3. Oliver Gorwits January 23, 2011 at 6:07 pm

    As an alternative to Expect, if you’re handy with Perl
    check out my Net::Appliance::Session module which helps with
    exactly this type of tedious reconfiguration. Feedback
    welcome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: