Discussion:
[syslog-ng] Filter out host from netmask range
Ian Hasund
2014-03-31 12:31:44 UTC
Permalink
I am trying to remove a specific set of hosts from a network range using
filters.

for example, I have the following:

filter f_home_subnet {
(
netmask("192.168.0.0/24")
);
};

I now want to exclude some specific hosts, let's say 192.168.0.10 and
192.168.0.20.

My attempts of adding "not host" to the above doesn't seem to work.

Any pointers / suggestions would be greatly appreciated.

Thanks,
Ian
j***@roadrunner.com
2014-03-31 14:53:58 UTC
Permalink
Should be able to use booleans here, Either in the filter or in the log statement:

either within the filter:
filter f_some_but_not_all {
netmask( "192.168.0.0/24") and
not ( (netmask("192.168.0.1/32") or
(netmask("192.168.0.11/32") );
};

or like this
filter f_home_net {
netmask("192.168.0.0/24");
};

filter f_home_exclusions {
not ( netmask("192.168.0.1/32") or
netmask("192.168.0.11/32") );
};

log {
source(s_network);
filter(f_home_net);
filter(f_home_exclusions);
destination(d_some_dest);
};

Jim
Post by Ian Hasund
I am trying to remove a specific set of hosts from a network range using
filters.
filter f_home_subnet {
(
netmask("192.168.0.0/24")
);
};
I now want to exclude some specific hosts, let's say 192.168.0.10 and
192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks,
Ian
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Ian Hasund
2014-03-31 15:18:16 UTC
Permalink
Thanks. I discovered my issue when testing. I was using "host" and my server was sending as its hostname versus IP. As soon as I changed to "netmask", this worked.

Thanks for the quick feedback.

/Ian

-----Original Message-----
From: ***@roadrunner.com [mailto:***@roadrunner.com]
Sent: Monday, March 31, 2014 10:54 AM
To: Syslog-ng users' and developers' mailing list
Cc: Ian Hasund
Subject: Re: [syslog-ng] Filter out host from netmask range

Should be able to use booleans here, Either in the filter or in the log statement:

either within the filter:
filter f_some_but_not_all {
netmask( "192.168.0.0/24") and
not ( (netmask("192.168.0.1/32") or
(netmask("192.168.0.11/32") );
};

or like this
filter f_home_net {
netmask("192.168.0.0/24");
};

filter f_home_exclusions {
not ( netmask("192.168.0.1/32") or
netmask("192.168.0.11/32") );
};

log {
source(s_network);
filter(f_home_net);
filter(f_home_exclusions);
destination(d_some_dest);
};

Jim
Post by Ian Hasund
I am trying to remove a specific set of hosts from a network range
using filters.
filter f_home_subnet {
(
netmask("192.168.0.0/24")
);
};
I now want to exclude some specific hosts, let's say 192.168.0.10 and
192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks,
Ian
______________________________________________________________________
https://lists.balabit.hu/mailman/listinfo/syslog-ng
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
j***@roadrunner.com
2014-03-31 15:24:10 UTC
Permalink
cool.

personally I like netmask since I have seen far too many broken syslog formats that mess with the HOST macros (although I have been told that parsing speed should be about the same either way)
Post by Ian Hasund
Thanks. I discovered my issue when testing. I was using "host" and my server was sending as its hostname versus IP. As soon as I changed to "netmask", this worked.
Thanks for the quick feedback.
/Ian
-----Original Message-----
Sent: Monday, March 31, 2014 10:54 AM
To: Syslog-ng users' and developers' mailing list
Cc: Ian Hasund
Subject: Re: [syslog-ng] Filter out host from netmask range
filter f_some_but_not_all {
netmask( "192.168.0.0/24") and
not ( (netmask("192.168.0.1/32") or
(netmask("192.168.0.11/32") );
};
or like this
filter f_home_net {
netmask("192.168.0.0/24");
};
filter f_home_exclusions {
not ( netmask("192.168.0.1/32") or
netmask("192.168.0.11/32") );
};
log {
source(s_network);
filter(f_home_net);
filter(f_home_exclusions);
destination(d_some_dest);
};
Jim
Post by Ian Hasund
I am trying to remove a specific set of hosts from a network range
using filters.
filter f_home_subnet {
(
netmask("192.168.0.0/24")
);
};
I now want to exclude some specific hosts, let's say 192.168.0.10 and
192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks,
Ian
______________________________________________________________________
https://lists.balabit.hu/mailman/listinfo/syslog-ng
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Balazs Scheidler
2014-03-31 21:36:38 UTC
Permalink
The host filter applies to the $HOST field. Just use the netmask filter
with 32 as mask.
Post by Ian Hasund
I am trying to remove a specific set of hosts from a network range using
filters.
filter f_home_subnet {
(
netmask("192.168.0.0/24")
);
};
I now want to exclude some specific hosts, let's say 192.168.0.10 and
192.168.0.20.
My attempts of adding "not host" to the above doesn't seem to work.
Any pointers / suggestions would be greatly appreciated.
Thanks,
Ian
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Loading...