Getting syslog-ng to filter messages by source IP address

I received a call this week from one of our network guys because messages from several network devices weren’t being logged by our centralized log server. When I started debugging the issue, I noticed that traffic from the hosts (host1 in this example) was making it to our syslog-ng server:

$ tcpdump -i eth0 host host1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:22:01.672377 host1.65093 > syslog.syslog: SYSLOG local4.error, length: 108
09:22:06.904446 host1.65093 > syslog.syslog: SYSLOG local4.notice, length: 128

While the traffic was making it to the server, the syslog messages were not being matched against a rule we had defined. Being the curious guy I am, I decided to read the syslog RFC to get a better understanding of the syslog message format. If you aren’t familiar with syslog messages, they take the following form:

<PRI> <HEADER> <MSG>

The PRI section contains the facility and priority, the HEADER section contains a timestamp and the hostname or IP address of the device, and the MSG section contains the message the host is trying to send to the server.

When I dumped one of the syslog message as a raw string of bytes, I noticed that the hostname field didn’t match the expression we were trying to match against. For reference, here is the expression we were using (FYI: the host() directive matches against the hostname in the syslog message, not the source IP address in the IP datagram):

filter f_web_hosts { (host(192.168.0.25)) };

Since the hostname and source IP address were different, the rule didn’t match. To get this to work correctly, I needed to use a netmask() statement to filter based on the source IP address in the IP datagram:

filter f_web_hosts { (netmask(192.168.0.25/32)) };

Once this rule was in place, everything worked as expected! Rock on!

5 thoughts on “Getting syslog-ng to filter messages by source IP address”

  1. This saved my week, I really appreciate you posting this.

    I inherited our companies two syslog servers that hadn’t been touched for years and was told “make sure everything works”.

    As soon as our event management team found out that someone owned them they set the dogs on me, they wanted tons of feeds that failed months or years ago. Pulled my hair out trying to find out why some of them weren’t working…most of them because you can’t control whether or not the message has the host ip or name.

    Thanks again Matt!

  2. i have same problem too. i use same netmask filter but still diffrenet hosts messag came in same destination log file.
    my config;
    destination distlayer { file(“yedek/syslogs/dl”); };
    filter DL_Montaj { netmask(10.99.0.141/255.255.255.255); };
    log { source(net); filter(DL_Montaj); destination(distlayer); };

    syslog capture:
    satmaca@gcknw105:~> tail -100 /yedek/syslogs/dl
    Jul 11 08:24:29 10.16.6.25 :Link Up Trap for Unit/Port: 1 / 13
    Jul 11 08:24:34 10.16.6.25 :Link Down Trap for Unit/Port: 1 / 13
    Jul 11 08:24:35 10.16.6.25 :Link Up Trap for Unit/Port: 1 / 13

    thanks for help,

    Samni

  3. thanks after hours of debugging and searching i found your post that solved my problem.
    thanks for sharing your solution *thumbs up*

  4. You are a life-saver for posting this.

    Im new to syslog-ng and am playing around with how i can filter and forward messages. I was doing it the same way you had previosuly and was reading the syslo-ng documents scratching my head.

    Thank you so much. You rock!
    G

  5. Thanks, this is kind of blog I like – very indepth analisys. Syslog-ng.conf manual entry is not very specific when it comes to exaplaining what host() actually is.

Leave a Reply

Your email address will not be published. Required fields are marked *