syslog-ng PE can detect if the remote server of a network destination becomes unaccessible, and start sending messages to a secondary server. Multiple failover servers can be configured, so if the secondary server becomes unaccessible as well, syslog-ng PE will switch to the third server in the list, and so on. If there are no more failover servers left, syslog-ng PE returns to the beginning of a list and attempts to connect to the primary server.
When syslog-ng PE starts up, it will always try to connect to the primary server first, but once it fails over to a secondary server, it will not automatically attempt to return to the primary server even if it becomes available. If syslog-ng PE is restarted, it will attempt to connect the primary server. Reloading the configuration of syslog-ng PE will not cause syslog-ng PE to return to the primary server, unless the configuration of the destination has changed.
If syslog-ng PE uses TLS-encryption to communicate with the remote server, syslog-ng PE checks the certificate of the failover server as well. The certificates of the failover servers should match their domain names or IP addresses — for details, see the section called “Encrypting log messages with TLS”. Note that when mutual authentication is used, the syslog-ng PE client sends the same certificate to every server.
The primary server and the failover servers must be accessible with the same communication method: it is not possible to use different destination drivers or options for the different servers.
For details on configuring failover servers, see the section called “network() destination options” and the section called “syslog() destination options”.
The following sections describe how to select and filter log messages.
the section called “Using filters” describes how to configure and use filters.
the section called “Combining filters with boolean operators” shows how to create complex filters using boolean operators.
the section called “Comparing macro values in filters” explains how to evaluate macros in filters.
the section called “Using wildcards, special characters, and regular expressions in filters” provides tips on using regular expressions.
the section called “Tagging messages” explains how to tag messages and how to filter on the tags.
the section called “Filter functions” is a detailed description of the filter functions available in syslog-ng PE.
Filters perform log routing within syslog-ng: a message passes the filter if the filter expression is true for the particular message. If a log statement includes filters, the messages are sent to the destinations only if they pass all filters of the log path. For example, a filter can select only the messages originating from a particular host. Complex filters can be created using filter functions and logical boolean expressions.
To define a filter, add a filter statement to the syslog-ng configuration file using the following syntax:
filter <identifier> { <filter_type>("<filter_expression>"); };
Example 8.10. A simple filter statement
The following filter statement selects the messages that contain the word deny
and come from the host example
.
filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
For the filter to have effect, include it in a log statement:
log { source(s1); filter(demo_filter); destination(d1);};
When a log statement includes multiple filter statements, syslog-ng sends a message to the destination only if all filters are true for the message. In other words, the filters are connected with the logical AND
operator. In the following example, no message arrives to the destination, because the filters are exclusive (the hostname of a client cannot be example1
and example2
at the same time):
filter demo_filter1 { host("example1"); }; filter demo_filter2 { host("example2"); }; log { source(s1); source(s2); filter(demo_filter1); filter(demo_filter2); destination(d1); destination(d2); };
To select the messages that come from either host example1
or example2
, use a single filter expression:
filter demo_filter { host("example1") or host("example2"); }; log { source(s1); source(s2); filter(demo_filter); destination(d1); destination(d2); };
Use the not
operator to invert filters, for example, to select the messages that were not sent by host example1
:
filter demo_filter { not host("example1"); };
However, to select the messages that were not sent by host example1
or example2
, you have to use the and
operator (that's how boolean logic works):
filter demo_filter { not host("example1") and not host("example2"); };
Alternatively, you can use parentheses to avoid this confusion:
filter demo_filter { not (host("example1") or host("example2")); };
For a complete description on filter functions, see the section called “Filter functions”.
The following filter statement selects the messages that contain the word deny
and come from the host example
.
filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
The value()
parameter of the match
function limits the scope of the function to the text part of the message (that is, the part returned by the ${MESSAGE}
macro). For details on using the match()
filter function, see the section called “match()”.
|
TIP:
Filters are often used together with log path flags. For details, see the section called “Log path flags”. |
Starting with syslog-ng PE version 4 F1, it is also possible to compare macro values and templates as numerical and string values. String comparison is alphabetical: it determines if a string is alphabetically greater or equal to another string. Use the following syntax to compare macro values or templates. For details on macros and templates, see the section called “Customizing message format”.
filter <filter-id> {"<macro-or-template>" operator "<value-or-macro-or-template>"};
Example 8.11. Comparing macro values in filters
The following expression selects log messages containing a PID (that is, ${PID}
macro is not empty):
filter f_pid {"${PID}" !=""};
The following expression selects log messages that do not contain a PID. Also, it uses a template as the left argument of the operator and compares the values as strings:
filter f_pid {"${HOST}${PID}" eq "${HOST}"};
The following example selects messages with priority level 4 or higher.
filter f_level {"${LEVEL_NUM}" > "5"};
The following filter selects messages which have the collector word in the soc@0.device structured data field.
filter f_fwd_collectors {"${.SDATA.soc@0.device}" eq "collector"};
This filter expresison selects messages, which has the FW string in the soc@0.class structured data field.
filter f_debug { match("FW" value(".SDATA.soc@0.class") type("string")); };
Note that:
The macro or template must be enclosed in double-quotes.
The $
character must be used before macros.
Using comparator operators can be equivalent to using filter functions, but is somewhat slower. For example, using "${HOST}" eq "myhost"
is equivalent to using host("myhost" type(string))
.
You can use any macro in the expression, including user-defined macros from parsers and results of pattern database classifications.
The results of filter functions are boolean values, so they cannot be compared to other values.
You can use boolean operators to combine comparison expressions.
The following operators are available:
Table 8.2. Numerical and string comparison operators
Numerical operator | String operator | Meaning |
---|---|---|
== | eq | Equals |
!= | ne | Not equal to |
> | gt | Greater than |
< | lt | Less than |
>= | ge | Greater than or equal |
=< | le | Less than or equal |
The host()
, match()
, and program()
filter functions accept regular expressions as parameters. The exact type of the regular expression to use can be specified with the type()
option. By default, syslog-ng PE uses POSIX regular expressions.
To use other expression types, add the type()
option after the regular expression. For example:
message("^(.+)\\1$" type("pcre"))
In regular expressions, the asterisk (*
) character means 0, 1 or any number of the previous expression. For example, in the f*ilter
expression the asterisk means 0 or more f letters. This expression matches for the following strings: ilter
, filter
, ffilter
, and so on. To achieve the wildcard functionality commonly represented by the asterisk character in other applications, use .*
in your expressions, for example f.*ilter
.
Alternatively, if you do not need regular expressions, only wildcards, use type(glob)
in your filter:
Example 8.12. Filtering with widcards
The following filter matches on hostnames starting with the myhost
string, for example, on myhost-1
, myhost-2
, and so on.
filter f_wildcard {host("myhost*" type(glob));};
For details on using regular expressions in syslog-ng PE, see the section called “Regular expressions”.
To filter for special control characters like the carriage return (CR), use the \r
escape prefix in syslog-ng PE version 3.0 and 3.1. In syslog-ng PE 3.2 and later, you can also use the \x
escape prefix and the ASCII code of the character. For example, to filter on carriage returns, use the following filter:
filter f_carriage_return {match("\x0d" value ("MESSAGE"));};
You can label the messages with custom tags. Tags are simple labels, identified by their names, which must be unique. Currently syslog-ng PE can tag a message at two different places:
at the source when the message is received, and
when the message matches a pattern in the pattern database. For details on using the pattern database, see the section called “Using pattern databases”, for details on creating tags in the pattern database, see the section called “The syslog-ng pattern database format”.
When syslog-ng receives a message, it automatically adds the .source.<id_of_the_source_statement>
tag to the message. Use the tags()
option of the source to add custom tags, and the tags()
option of the filters to select only specific messages.
For an example on tagging, see Example 8.14, “Adding tags and filtering messages with tags”.
The following functions may be used in the filter statement, as described in the section called “Filters”.
Table 8.3. Filter functions available in syslog-ng PE
Name | Description |
---|---|
facility() | Filter messages based on the sending facility. |
filter() | Call another filter function. |
host() | Filter messages based on the sending host. |
inlist() | File-based whitelisting and blacklisting. |
level() or priority() | Filter messages based on their priority. |
match() | Use a regular expression to filter messages based on a specified header or content field. |
message() | Use a regular expression to filter messages based on their content. |
netmask() | Filter messages based on the IP address of the sending host. |
program() | Filter messages based on the sending application. |
source() | Select messages of the specified syslog-ng PE source statement. |
tags() | Select messages having the specified tag. |
Synopsis: | facility(<facility-name>) or facility(<facility-code>) or facility(<facility-name>..<facility-name>) |
Description: Match messages having one of the listed facility codes.
The facility()
filter accepts both the name and the numerical code of the facility or the importance level. Facility codes 0-23 are predefined and can be referenced by their usual name. Facility codes above 24 are not defined.
You can use the facility filter the following ways:
Use a single facility name, for example, facility(user)
Use a single facility code, for example, facility(1)
Use a facility range (works only with facility names), for example, facility(local0..local5)
The syslog-ng application recognizes the following facilities: (Note that some of these facilities are available only on specific platforms.)
Table 8.4. syslog Message Facilities recognized by the facility() filter
Numerical Code | Facility name | Facility |
---|---|---|
0 | kern | kernel messages |
1 | user | user-level messages |
2 | mail system | |
3 | daemon | system daemons |
4 | auth | security/authorization messages |
5 | syslog | messages generated internally by syslogd |
6 | lpr | line printer subsystem |
7 | news | network news subsystem |
8 | uucp | UUCP subsystem |
9 | cron | clock daemon |
10 | authpriv | security/authorization messages |
11 | ftp | FTP daemon |
12 | ntp | NTP subsystem |
13 | security | log audit |
14 | console | log alert |
15 | solaris-cron | clock daemon |
16-23 | local0..local7 | locally used facilities (local0-local7) |
Synopsis: | host(regexp) |
Description: Match messages by using a regular expression against the hostname field of log messages. Note that you can filter only on the actual content of the HOST field of the message (or what it was rewritten to). That is, syslog-ng PE will compare the filter expression to the content of the ${HOST} macro. This means that for the IP address of a host will not match, even if the IP address and the hostname field refers to the same host. To filter on IP addresses, use the netmask()
filter.
filter demo_filter { host("example") };
Synopsis: | in-list("</path/to/file.list>", value("<field-to-filter>")); |
Description: Matches the value of the specified field to a list stored in a file, allowing you to do simple, file-based black- and whitelisting. The file must be a plain-text file, containing one entry per line. The syslog-ng PE application loads the entire file, and compares the value of the specified field (for example, ${PROGRAM}) to entries in the file. When you use the in-list filter
, note the following points:
Comparing the values is case-sensitive.
Only exact matches are supported, partial and substring matches are not.
If you modify the list file, reload the configuration of syslog-ng PE for the changes to take effect.
Available in syslog-ng PE and later.
Example 8.13. Selecting messages using the in-list filter
Create a text file that contains the programs (as in the ${PROGRAM} field of their log messages) you want to select. For example, you want to forward only the logs of a few applications from a host: kernel, sshd, and sudo. Create the /etc/syslog-ng/programlist.list
file with the following contents:
kernel sshd sudo
The following filter selects only the messages of the listed applications:
filter f_whitelist { in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };
Create the appropriate sources and destinations for your environment, then create a log path that uses the previous filter to select only the log messages of the applications you need:
log { source(s_all); filter(f_whitelist); destination(d_logserver);};
To create a blacklist filter, simply negate the in-list
filter:
filter f_blacklist { not in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };
Synopsis: | level(<priority-level>) or level(<priority-level>..<priority-level>) |
Description: The level()
filter selects messages corresponding to a single importance level, or a level-range. To select messages of a specific level, use the name of the level as a filter parameter, for example use the following to select warning messages:
level(warning)
To select a range of levels, include the beginning and the ending level in the filter, separated with two dots (..
). For example, to select every message of error or higher level, use the following filter:
level(err..emerg)
The level()
filter accepts the following levels: emerg
, alert
, crit
, err
, warning
, notice
, info
, debug
.
Synopsis: | match(regexp) |
Description: Match a regular expression to the headers and the message itself (that is, the values returned by the MSGHDR
and MSG
macros). Note that in syslog-ng version 2.1 and earlier, the match()
filter was applied only to the text of the message, excluding the headers. This functionality has been moved to the message()
filter.
To limit the scope of the match to a specific part of the message (identified with a macro), use the match(regexp value("MACRO"))
syntax. Do not include the $ sign in the parameter of the value()
option.
The value()
parameter accepts both built-in macros and user-defined ones created with a parser or using a pattern database. For details on macros and parsers, see the section called “Templates and macros”, the section called “Parsing messages with comma-separated and similar values”, and the section called “Using parser results in filters and templates”.
Synopsis: | message(regexp) |
Description: Match a regular expression to the text of the log message, excluding the headers (that is, the value returned by the MSG
macros). Note that in syslog-ng version 2.1 and earlier, this functionality was performed by the match()
filter.
Synopsis: | netmask(ipv4/mask) |
Description: Select only messages sent by a host whose IP address belongs to the specified IPv4 subnet. Note that this filter checks the IP address of the last-hop relay (the host that actually sent the message to syslog-ng PE), not the contents of the HOST
field of the message. You can use both the dot-decimal and the CIDR notation to specify the netmask. For example, 192.168.5.0/255.255.255.0
or 192.168.5.0/24
. To filter IPv6 addresses, see the section called “netmask6()”.
Synopsis: | netmask6(ipv6/mask) |
Description: Select only messages sent by a host whose IP address belongs to the specified IPv6 subnet. Note that this filter checks the IP address of the last-hop relay (the host that actually sent the message to syslog-ng PE), not the contents of the HOST
field of the message. You can use both the regular and the compressed format to specify the IP address, for example, 1080:0:0:0:8:800:200C:417A
or 1080::8:800:200C:417A
. If you do not specify the address, localhost
is used. Use the netmask (also called prefix) to specify how many of the leftmost bits of the address comprise the netmask (values 1-128 are valid). For example, the following specify a 60-bit prefix: 12AB:0000:0000:CD30:0000:0000:0000:0000/60
or 12AB::CD30:0:0:0:0/60
. Note that if you set an IP address and a prefix, syslog-ng PE will ignore the bits of the address after the prefix. To filter IPv4 addresses, see the section called “netmask()”.
The netmask6()
filter is available in syslog-ng PE 5.0.8 and 5.2.2 and later.
|
Caution:
If the IP address is not syntactically correct, the filter will never match. The syslog-ng PE application currently does not send a warning for such configuration errors. |
Synopsis: | program(regexp) |
Description: Match messages by using a regular expression against the program name field of log messages.
Synopsis: | source id |
Description: Select messages of a source statement. This filter can be used in embedded log statements if the parent statement contains multiple source groups — only messages originating from the selected source group are sent to the destination of the embedded log statement.
Synopsis: | tag |
Description: Select messages labeled with the specified tag. Every message automatically has the tag of its source in .source.<id_of_the_source_statement>
format. This option is available only in syslog-ng 3.1 and later.
To skip the processing of a message without sending it to a destination, create a log statement with the appropriate filters, but do not include any destination in the statement, and use the final
flag.
The syslog-ng application has a number of global options governing DNS usage, the timestamp format used, and other general points. Each option may have parameters, similarly to driver specifications. To set global options, add an option statement to the syslog-ng configuration file using the following syntax:
options { option1(params); option2(params); ... };
Example 9.1. Using global options
To disable domain name resolving, add the following line to the syslog-ng configuration file:
options { use-dns(no); };
For a detailed list of the available options, see the section called “Global options”. For important global options and recommendations on their use, see Chapter 20, Best practices and examples.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center