Question: How to filter-out syslog messages that are not received by a specific NIC?


#1 giorgiobuffa

Hello! I'd like to log syslog messages received via broadcast on UPD:514. In the logger PC there are multiple NICs, but I'm interested only to syslog messages received from these local interfaces: 10.200.255.254 and 127.0.0.1. I've tried with the configuration posted below, but it doesn't always work (especially at system boot) because of the following error by the NXLog Windows Service.

ERROR failed to start im_udp; couldn't bind udp socket to 10.200.255.254:514; The requested address is not valid in its context.

This is my actual configuration

...
define LOGS_FILE     ...
...

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _exec>
    Module  xm_exec
</Extension>

<Input udp_lan>
    Module  im_udp
    Host    10.200.255.254
    Port    514
    Exec    parse_syslog();
</Input>

<Input udp_host>
    Module  im_udp
    Host    127.0.0.1
    Port    514
    Exec    parse_syslog();
</Input>

<Output file_syslog>
    Module      om_file
    CreateDir   TRUE
    Sync        TRUE
    File        '%LOGS_FILE%'
</Output>

<Route udp_to_file>
    Path    udp_lan, udp_host => file_syslog
</Route>

The NIC has a static IP address, but I'm not sure it is already up when the nxlog service is executed at system boot by Windows.

How can I perform this sort of filtering without using the firewall? I know I can listen to anything and drop() received messages with an Exec statement, but I don't know which variable to use (e.g. like $MessageSourceAddress) to specify the interface the message was received by. I was thinking to something like that:

<Input udp_lan_host>
    Module  im_udp
    Host    0.0.0.0 # <--- accept all
    Port    514

    <Exec>
        if $??? != "10.200.255.254" and $??? != "127.0.0.1" drop(); # <--- which variable here?
        parse_syslog();
    </Exec>
</Input>

Thanks, Giorgio