Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## SPLUNK
- #*** Configure local destinations for syslog here. ***
- #
- ## SPLUNK
- #
- #
- destination d_wlc { file("/var/log/syslog-ng/splunk/wlc/$FACILITY"); };
- destination d_NetworkGear { file("/var/log/syslog-ng/splunk/Network_Gear/$FACILITY"); };
- destination d_bitbucket { file("/var/log/syslog-ng/splunk/bit_bucket/$FACILITY"); };
- #*** Configure filter for the network device IP address here. ***
- #
- # NOTE: Make sure there is a space after the ) following the IP address #
- #
- #
- filter f_wlc { netmask(172.16.91.0/24)
- or netmask(10.26.141.18/32)
- or netmask(10.255.22.18/32)
- or netmask(172.16.91.0/24)
- or netmask(172.16.92.0/22); };
- filter f_NetworkGear { netmask(10.255.0.0/16)
- or netmask(10.40.0.0/16)
- or netmask(172.16.252.0/16)
- or netmask(172.26.252.0/16)
- or netmask(172.26.253.0/16)
- or netmask(172.26.254.0/16)
- or netmask(172.26.255.0/16); };
- filter f_bitbucket { netmask(129.255.0.0/16)
- or netmask(10.0.0.0/8)
- or netmask(192.168.0.0/16)
- or netmask(172.16.0.0/12); };
- #
- # Combine log destination and filter
- #
- #
- log { source(s_syslog-ng); filter(f_wlc); destination(d_wlc); };
- log { source(s_syslog-ng); filter(f_NetworkGear); destination(d_NetworkGear); };
- log { source(s_syslog-ng); filter(f_bitbucket); destination(d_bitbucket); };
- #
- # END SPLUNK
- #*** Section ends. ***
- # vim:ft=syslog-ng:ai:si:ts=4:sw=4:etc
- =============================
- So the theory is that everything that doesnt get caugh by the first two filters, gets caught by the "bitbucket"
- But what is happening is that it seems logs are being filtered into BOTH filter f_NetworkGear and filter f_bitbucket.
- Is there a way to have syslog not put it in both ? The filter f_bitbucket is intended to be a catch all that is for anything not filtered above.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement