Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Cyb3rZ3us
Cyb3rZ3us Author
User level: Level 1
8 points

Solution for syslog\asl to filter based on source ip addr

Has anyone found a way to filter inbound syslog messages from remote hosts based on the sender's IP address? I understand that the ASL methodology is one that places all messages into a DB and then the intent is to filter that DB to find the messages one wishes to review. However, many devices do NOT include any explicit ID informaiton in their syslog messages - they just send the message where they are told. For those devices, the expectation is that the receiver - being the central repo - can do the best job at filtering and sorting based on the sysadmin's desires. Therefore, in those cases, the only ID information contained in those inbound messages is the actual source IP address in the packet.


Without a solution to the above, one is forced to use something like syslog-ng which brings with it a whole other set of issues and chalenges for installs on 10.8.x and later.


Any insights, solutions, etc. is appreciated...

Posted on Feb 13, 2014 1:52 PM

Reply
4 replies
User profile for user: Cyb3rZ3us
Cyb3rZ3us Author
User level: Level 1
8 points

Feb 13, 2014 7:48 PM in response to Linc Davis

Thanks Linc - I acutaly saw your post from a while back suggesting this and no joy. The only way this will work is if there is some way to make OS X record the actual source IP addr from the packet and then to filter based on addr. I have scoured all the docs I can find and nothing shows how to get OS X to store this key info. syslog-ng does this easily but it looks like OS X may not have this feature...

Reply
User profile for user: Cyb3rZ3us
Cyb3rZ3us Author
User level: Level 1
8 points

Feb 15, 2014 10:31 AM in response to Cyb3rZ3us

To anyone else out there who has envcountered this hole in OS X syslog functionality, I recommend rsyslog. It comes standard on Ubuntu and was extrneely easy to configure for this type of logging. DISCLAIMER: I did NOT port this to OS X - I used one of my existing Ubuntu servers. However, I am working on porting this to OS X now and if successful, I will report back here.

Reply

Solution for syslog\asl to filter based on source ip addr

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up