# How to Filter out IP RANGES using syslog-ng???

## AsianSpices

Hi i am trying to use syslog-ng to collect syslogs from routers,

But i would like logs from the same network to be logged in one file

How is this posible?

I can log all logs in teh same file...

I can log each host in separate files

How do i log ip addresses of the same range into the same file?

----------

## think4urs11

I've never really tried it that way but it should be possible to filter by a match() statement with a proper regex which matches for the ip range. Should be relatively easy as long as you're using not too small ranges.

something like 192\.168\.1\.[0-9]{1,3} to filter on ip range 192.168.1.x

HTH

T.

----------

## AsianSpices

 *Quote:*   

> 
> 
> something like 192\.168\.1\.[0-9]{1,3} to filter on ip range 192.168.1.x 
> 
> 

 

hate to soudn dumb,

but whats the {1,3} for?

how do i do one for a subnet of /25 ??

----------

## think4urs11

{1,3} means 'at least one digit, max 3 digits' which match [0-9]

in other words - anything from .0 - .999

that was the quick and easy one, here's the real thing

- please forgive typos, thats just out of my head and 100% untested -

should catch only addresses from 192.168.1.0 to 192.168.1.127

(192)\.(168)\.(1)\.(12[0-7]|1[0-1][0-9]|[1-9][0-9]|[0-9])

feel free to adopt to the range you need  :Rolling Eyes: 

----------

## AsianSpices

 *Quote:*   

> 
> 
> hould catch only addresses from 192.168.1.0 to 192.168.1.127 
> 
> (192)\.(168)\.(1)\.(12[0-7]|1[0-1][0-9]|[1-9][0-9]|[0-9]) 
> ...

 

Holyy molyy

thats one heck of a catch " .(12[0-7]|1[0-1][0-9]|[1-9][0-9]|[0-9]" :S

Whattt isnt there another way to do that???:S

okie lets say i just wanted to catch up to the 3 octlet? How to i do that?

----------

## think4urs11

mhh, in that special case we can assume the ip addresses are valid so we don't need to check them very exactly in the regex.

This should do (as always - out of head and untested)

([\d]{1,3}\.){3} - should match on anything from 0.0.0 - 999.999.999

[\d] - any digit

{1,3} - at least 1, at max 3 digits concatenated

\. - the '.'

{3} - we want to have the first 3 octets 

(which will have 1-3 digits plus the '.')

HTH

T.

----------

## AsianSpices

the services starts up fine

But i still dont get anything  :Sad: 

----------

## AsianSpices

 *Quote:*   

> 
> 
> options {
> 
>         long_hostnames(yes);
> ...

 

I am soo frustrated with this....  :Sad: 

any suggestions?

----------

## AsianSpices

I am still stuck...  :Sad: 

Googled my life away..  :Razz: 

i have tried using host()

example :

filter f_ipbb_syslogs { host("66\.163\.79\.$"); };

but i get nothing still  :Sad: 

Any suggestions?

----------

## AsianSpices

Apparently not alot of people hear use Syslog-ng?!?

Anyway,

I am trying to collect logs from a specific network. So i have decided to us ethe filter netmask()

but its fauly...

I am still trying to figure out how to split the logs into its own separate folders.

There is a filter called netmask() --it checks the sender's IP address to see whether it is in the specified IP subnet

Syntax: netmask(ip/mask) 

So I created a filter see below:

 *Quote:*   

> 
> 
> filter f_ipbb { netmask("66.163.79.0/25"); };
> 
> 

 

So my logic on this was 

If the syslog is from an IP address in this network/subnet then it should get logged to where I specifed it to.

Unfortunatly:

As seen below I got syslogs from the following ip adrresess:

 *Quote:*   

> 
> 
> root@K3 store # ls
> 
> 64.251.65.229    66.163.79.2  66.163.79.37  66.163.79.42  
> ...

 

'Anyone have any idea why this is happening???

----------

## think4urs11

you've already tried to configure the netmask in dotted notation instead of cidr?

means - filter f_ipbb { netmask("66.163.79.0/255.255.255.128"); };  instead of /25?

reference: https://lists.balabit.hu/pipermail/syslog-ng/2005-July/007701.html

----------

## AsianSpices

yes i have tried that also

But that gave me no results  :Sad: 

and i have seen that refernce also.  :Sad: 

----------

## AsianSpices

As seen below:

filter f_test { netmask("66.163.79.0/255.255.255.128"); }; <----gives no results

filter f_ipbb { netmask("66.163.79.0/25"); };<----only give syslogs from 66.163.79.2 

Any ideas>?

----------

## kashani

I don't have enough machines at home to do much testing, but I'd like to mention a few gotchas.

Routers will source the logs from the closest interface to the syslog server UNLESS you specify the interface to source the logs from. Best practices is to source logs from a loopback interface so that logging still works correctly even when physical interfaces die. So part of yoru problem may be that you're getting logs via eth0 instead of eth1 or things like that.

I'd also make sure that syslog-ng isn't using reverse DNS to sort the logs instead of the IP's. Turning use_fqdn might affect how syslog processes incoming logs.

kashani

----------

## think4urs11

hmm...

little circumvent for the issue  - aka 'if everything else fails get creative'  :Rolling Eyes: 

inside your log folder create ONE folder for all machines and name it e.g. 66.163.79.0_25

for every ip do a ln -s 66.163.79.0_25 66.163.79.IPADDRESS-LAST-OCTET

filter inside syslog-ng with $HOST as usual

destination std { file("/var/log/$HOST"); };

----------

## AsianSpices

Hi,

I am now trying to collect traps from these two networks. 66.163.79.0/255.255.255.128 and 64.251.65.224/255.255.255.240

I dont understand why when I do this it doesnt collect anything

Any ideas/.??

-------------------------------------------------------------------------------------------------------

source src{unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

filter f_messages { not level(warn); };

log { source(src);  filter(f_messages); destination(messages); };

#filter snmptrap

filter f_snmptrap { level(warn); };

#testing filters for the different networks

filter f_ipbb1 {netmask("66.163.79.0/255.255.255.128"); };

filter f_ipbb2 {netmask("64.251.65.224/255.255.255.240"); };

destination ipbb_traps { file("/store/ipbb/traps/$YEAR-$MONTH-$DAY"); };

log { source(src); filter(f_snmptrap); filter(f_ipbb1); filter (f_ipbb2); destination(ipbb_traps); };

-----------------------------------------------------------------------------------------------------------

----------

