Getting Data In

How do you drop Logs completely with Syslog-NG from particular sources?

briant97
New Member

With Syslog-NG how do you drop logs completely. I know how to create filters and what not but I don't know how to set the destination to drop completely.

Tags (3)
0 Karma

frobert
New Member

Hi,

Create a log path that does not have a destination, just a source, a filter (that matches the messages you want to drop), and the final flag.
For details, see the syslog-ng Administrator Guide

Kind Regards,

Robert Fekete
syslog-ng documentation maintainer

0 Karma

briant97
New Member

Can you show an example of this just for others that may want to reference in the future.

0 Karma

frobert
New Member

Sure! (I've included a link in my earlier reply, but it seems it was moderated 🙂 )
The following log statement drops all debug level messages without any further processing.

filter demo_debugfilter { level(debug); };
log { source(s_all); filter(demo_debugfilter); flags(final); };
0 Karma

briant97
New Member

filter f_new_networkdevices { netmask(192.168.2.1/32) or netmask(192.168.2.2/32); };
log { source(s_tcp_remote); filter(f_new_networkdevices); flags(final); }; #logs to no where without a destination
log { source(s_udp_remote); filter(f_new_networkdevices); flags(final); }; #logs to no where without a destination

I want to completely drop logs from these ips for now.

This is not working for me it is still logging.

0 Karma

briant97
New Member

Can you show an example for future reference for others that may be wanting to do the same thing.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...