Please disregard.
Resolved problem by setting keep_hostname (no); in syslog-ng.conf
Best Regards
Eric
-----Original Message-----
From: Eric Appelboom
Sent: 13 July 2004 03:07 PM
To: '[EMAIL PROTECTED]'
Subject: Syslog-ng and gb syslog
Hi there,
I have a number of gbwares reporting to a central loghost.
In the past the syslog-ng configuration below served me well to separate the
logs.
source net { tcp(); udp(); };
destination hostfile { file("/data2/$HOST"); }; log { source(net);
destination(hostfile); };
In Gbware 3.5 the support for the old format has been removed i.e OLD FORMAT
Jul 13 10:08:10 portal PASS: Close TCP [x.x.x.x:80]<-[x.x.x.x:1381]
dur=00:06:12 pkts=51:34 bytes=66928:4565
NEW FORMAT
Jul 13 10:10:19 id=firewall time="2004-07-13 08:10:19" fw="11111111" pri=5
msg="Close outbound, pass through" proto=1434/udp src=x.x.x.x srcport=1486
dst=x.x.x.x dstport=1434 rule=4 duration=22 sent=29 rcvd=0 pkts_sent=1
pkts_rcvd=0
It seems that syslog-ng uses the 4th field as the hostname identifier as All
gbwares log to the same file being id=firewall
Does anyone know how to separate this files even if it has to be the 6th
field fw="11111111" which is usually the serial number.
GTA Support says "The "id' is non-configurable. The host name should
precede the id field."
But obviously as indicated above only the date time precedes the id=field.
Really having a problem matching the "host("firewallhost") filter.
Help?
Regards
Eric
[demime 0.98e removed an attachment of type application/x-pkcs7-signature which had a
name of smime.p7s]
------------------------------------------------------
To unsubscribe: [EMAIL PROTECTED]
For additional commands: [EMAIL PROTECTED]
Archive: http://archives.gnatbox.com/gb-users/
