I'd like to log syslog messages received via broadcast on UPD:514. In the logger PC there are multiple NICs, but I'm interested only to syslog messages received from these local interfaces:
127.0.0.1. I've tried with the configuration posted below, but it doesn't always work (especially at system boot) because of the following error by the NXLog Windows Service.
ERROR failed to start im_udp; couldn't bind udp socket to 10.200.255.254:514; The requested address is not valid in its context.
This is my actual configuration
... define LOGS_FILE ... ... <Extension _syslog> Module xm_syslog </Extension> <Extension _exec> Module xm_exec </Extension> <Input udp_lan> Module im_udp Host 10.200.255.254 Port 514 Exec parse_syslog(); </Input> <Input udp_host> Module im_udp Host 127.0.0.1 Port 514 Exec parse_syslog(); </Input> <Output file_syslog> Module om_file CreateDir TRUE Sync TRUE File '%LOGS_FILE%' </Output> <Route udp_to_file> Path udp_lan, udp_host => file_syslog </Route>
The NIC has a static IP address, but I'm not sure it is already up when the nxlog service is executed at system boot by Windows.
How can I perform this sort of filtering without using the firewall? I know I can listen to anything and
drop() received messages with an
Exec statement, but I don't know which variable to use (e.g. like
$MessageSourceAddress) to specify the interface the message was received by. I was thinking to something like that:
<Input udp_lan_host> Module im_udp Host 0.0.0.0 # <--- accept all Port 514 <Exec> if $??? != "10.200.255.254" and $??? != "127.0.0.1" drop(); # <--- which variable here? parse_syslog(); </Exec> </Input>