8 Replies Latest reply on Dec 20, 2019 10:49 PM by andrew.afolabi

    Syslog write to file question

    andrew.afolabi

      Any idea how I can separate specific ip/devices to write to different folders without the logs getting duplicated to the default folder?

       

      I have the default rules and filter setup which displays and logs all devices and other logs info in the default "log to file" folder structure. I now created other filters and rules to capture specific IP(s)/devices and have them written to a different folders. I would like to keep the default folder to capture all logs with the exception of a few.

        • Re: Syslog write to file question
          kstone

          On your default rule you can add a complex filter and exclude device names. if it’s more than 7-8 you may want to make the default logging rule the second rule.

          in this case, create a new rule. Have it match on the devices you want and take the action(s) needed. As the last action in the rule add ‘Stop Processing’. This will keep any subsequent rules from seeing the messages. Then your default rule will only see the messages that did not match your first, explicit, rule.

          1 of 1 people found this helpful
          • Re: Syslog write to file question
            Jeff Catlin

            kstone is correct.  Put your most specific rule at the top of the list and have it filter to do the action desired and stop processing the messages.  If you do not need that syslog entry handled in another way after that rule is applied then add the Stop Processing action to it.  I generally suggest that the first rule(s) in an environment be built to eliminate all noisy/unwanted syslog data with a stop processing action so that the syslog server doesn't waste cycles on that data.  Then it goes from most specific to least specific where a stop processing needs to be added.

            • Re: Syslog write to file question
              andrew.afolabi

              Thanks guys. I tried using the stop processing after my action to write the log to file and the rules are the first ones to process but it still didn't work. The Default action is still processing and writing those specific IP logs to it's folder. BTW, I did exclude the IPs from displaying in the default screen, which works but it still writes the logs to file.

              • Re: Syslog write to file question
                andrew.afolabi

                 

                 

                Above is my setup: The info are been logged to file twice, both in the Test and Default locations.

                The same setting are
                under Test1-3

                               Filter: Filter the desire IP ex: 192.168.1.1   Exclude Range “blank”

                               Action 1: Display the IP (Display 3)

                               Action 2: Log IP to file (c:\.....)

                   Action 3: Stop processing message

                 

                Then comes the Default
                settings:

                               Filter: Include Ranges is “blank”   Exclude Range: 192.168.1.1

                               Action 1: Display the IPs (Display 0)

                               Action 2: Log all IPs to file (c:\....)             

                  • Re: Syslog write to file question
                    kstone

                    Are you using the IP Address filter and selecting IPV4 Range filter type? 

                     

                    I would use the IP Address filter and the 'Simple' filter type unless you truly have a large range of contiguous addresses.

                    You can have one rule per IP address or something like this:

                    The Include would look like this:  "192.168.1.1","192.168.1.2", "192.168.3"

                     

                    Then I would have a Log to File action. The path and file name would be something like C:\logs\%Hostname.txt.  %Hostname is an Auto-split variable that will use the hostname(or IP address if there is no hostname) to generate the file name.  I prefer this over the IP Address Auto-split because it handles both hostname and IP address.

                    Any other actions(displays, etc)

                    The last action would be 'Stop Processing'.

                     

                    This will generate 1 file for each IP Address.

                     

                    The default rule does not need any filters/excludes for these IP addresses.  The Stop processing command in the prior rule(s) will prevent them from hitting the next rule.

                  • Re: Syslog write to file question
                    andrew.afolabi

                    Yes, all the rules before the default are working and creating the logs as configured. BUT the default still includes the IPs of the above rules even with the exclude IPs and Stop Processing after each rule.