4 Replies Latest reply: Feb 15, 2014 10:31 AM by Cyb3rZ3us
Cyb3rZ3us Level 1 Level 1 (0 points)

Has anyone found a way to filter inbound syslog messages from remote hosts based on the sender's IP address?  I understand that the ASL methodology is one that places all messages into a DB and then the intent is to filter that DB to find the messages one wishes to review.  However, many devices do NOT include any explicit ID informaiton in their syslog messages - they just send the message where they are told.  For those devices, the expectation is that the receiver - being the central repo - can do the best job at filtering and sorting based on the sysadmin's desires.  Therefore, in those cases, the only ID information contained in those inbound messages is the actual source IP address in the packet.

 

Without a solution to the above, one is forced to use something like syslog-ng which brings with it a whole other set of issues and chalenges for installs on 10.8.x and later.

 

Any insights, solutions, etc. is appreciated...