- Part # 1 – Howto Save Mikrotik/Cisco Logs to Remote SYSLOG Server
- Part # 2 – Centralized Syslog-ng logging to MySql DB
- Part # 3 – Minimized logging to mysql with dynamic tables & trimming
- Part # 4 – Log specific data to mySQL using MATCH criteria in syslog-ng<< YOU ARE HERE
We have Linux based syslog-ng deployed at various locations. These LOG servers are fucntioning as centralized log server which record data into mysql based DB/TABLES from mulitple sources like Mikrotik /Micrsooft/Cisco Switches/ Sangfor/ EMS logs / Sangfor & Fortigate. Dueto its highly customizable options, its suites many small to large level organization.
In one case at our office , we required audit logs for SSL VPN connection & there destination usage ONLY. As we know that fortigae general logs contains high amount of information which causes huge table size daily , making it hard for simple find operation. To log very limited information like SSL VPN users connectivity & there destiantion usage , We made few changes in syslog-ng configuration using MATCH filters.
Examples below …
Fortigagte Section:
Syslog-NG Configuration Section:
Created 2 Fitlers …
/etc/syslog-ng/syslog-ng.conf
filter f_mikrotik { host("10.0.0.1") and match("FortiClient" value("MESSAGE"))
};
filter f_mikrotik2 { host("10.0.0.1") and match("10.10.100" value("MESSAGE"))
};
Note: From same source , we created two filters matching two different words. One for VPN Client connectivity, second for any activity made from vpn users IP pool so that we may know they accessess during there session. Also this way we are loggign very minimal/required information Only & its table size is low in size , easy to find & manage.
Result:
Not to mention, all of this is for information purposes only. You can use other methods in syslog-ng, modify config, trim or change any configuration level settings as per your requiremnts.
HAPPY LOGGIN 
Regard
Syed Jahanzaib