[syslog-ng] How does regex work with HOST definitions?

Jason Haar Jason.Haar at trimble.co.nz
Mon Oct 3 22:27:30 CEST 2005 

Nate Campi wrote:

>>host ("-ids-")
>>
>>and it's still picking up data from boxes who don't contain "-ids-" in
>>their hostname.
>>
>>One thing I didn't mention is that all the incorrect hosts being picked
>>up have their syslogs "routed" through another syslog-ng server running
>>on a host that does match "-ids-", could that be a cause?
>>    
>>
>
>So what do the log entries look like, do you have chained hostnames or
>is it replaced with the relaying host?
>
>Paste in a couple entries that are logged incorrectly.
>  
>
OK, but I don't have the hostnames in the content - I have them in the
directory name instead - see below

I have "keep_hostname (no)" set (and yes, I know... - but wait)

I have  (1)

destination d_dir_messages          {
        file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY/raw"
        template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")
}
log { source(s_local); destination(d_local_messages);

And in the directories created, $HOST is converted into the hostname of
the original syslog client - irrespective of whether or not it was
"gatewayed" via an intermediary syslog-ng server (exclusively from
syslog-ng over TCP if that makes a difference).

I also have (2)

destination d_dir_IDS {
        file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY/IDS-logs"
        template("$R_ISODATE $MESSAGE\n")
}
filter f_process_IDS { host("-ids-") and not host("xx-ids-02.my.net"); };
log { source(s_local); filter(f_process_IDS); destination(d_dir_IDS);};

In the case of (2), I am seeing IDS-logs files from hosts that don't
match the f_process_IDS filter.

It has been mentioned that "keep_hostname" could be the cause, but I
have tried that with it set to "no" and "yes" and it has made no
difference - I still see the wrong hosts being matched.

Your comment about chained hostnames makes me wonder if the HOST
variable is different when used in a directory/file context than when
it's part of a template definition?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the syslog-ng mailing list