[syslog-ng] problems with syslog-ng host filter
Orangepeel Beef
orangepeelbeef at gmail.com
Mon Jun 24 23:01:13 CEST 2013
I've got some strange problems with trying to use the syslog-ng host
filter. It seems that every logline matches the filter f_comware but none
of them match f_netscaler. It makes very little sense to me. Reverse dns
is working as the logs that end up in /var/log/remote have the correct
hostname being logged from the $HOST template.
I have a second issue that SEC does not die when syslog-ng is restarted.
(I have used this setup in the past and have had no problems, but i
suppose things may have changed in both syslog-ng and sec since the last
time)
This is driving me crazy.. please help ;)
#config
@version: 3.1
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# First, set some global options.
options { long_hostnames(on); flush_lines(0); use_dns(yes); use_fqdn(yes);
owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000);
dns_cache_expire(21600);
dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000);
create_dirs(yes);
bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);
};
source s_remote { udp();tcp(); };
destination d_remote { file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log"
template("$R_DATE $HOST $MSG\n") template_escape(no)); };
destination d_netscaler { program("/usr/local/sbin/sec_netscaler"
template("$R_DATE $HOST $MSG\n") template_escape(no)); };
destination d_comware { program("/usr/local/sbin/sec_comware"
template("$R_DATE $HOST $MSG\n") template_escape(no)); };
filter f_netscaler { host("lb*ae1.mydomain.com"); };
filter f_comware { host("(as|cs|r)*ae1.mydomain.com"); };
log { source(s_remote); destination(d_remote); };
log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };
log { source(s_remote); filter(f_comware); destination(d_comware); };
#debug logs
[13:38:54] Filter rule evaluation result; filter_result='match',
filter_rule='f_comware'
[13:38:56] Incoming log entry; line='<190>Jun 21 20:37:54 2013
R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s
Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
[13:38:58] Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:00] Filter node evaluation result; filter_result='not-match'
[13:39:02] Filter rule evaluation result; filter_result='not-match',
filter_rule='f_netscaler'
[13:39:04] Filter rule evaluation begins; filter_rule='f_comware'
[13:39:06] Filter node evaluation result; filter_result='match'
[13:39:08] Filter rule evaluation result; filter_result='match',
filter_rule='f_comware'
[13:39:10] Incoming log entry; line='<190>Jun 21 20:37:54 2013
R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s
Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
[13:39:12] Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:14] Filter node evaluation result; filter_result='not-match'
[13:39:16] Filter rule evaluation result; filter_result='not-match',
filter_rule='f_netscaler'
[13:39:18] Filter rule evaluation begins; filter_rule='f_comware'
[13:39:20] Filter node evaluation result; filter_result='match'
[13:39:22] Filter rule evaluation result; filter_result='match',
filter_rule='f_comware'
[13:39:24] Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT
lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 : User nsroot - Remote_ip
x.x.x.x - Command "login nsroot "********"" - Status "Success"'
[13:39:26] Initializing destination file writer;
template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log',
filename='/var/log/remote/lb1o1ae1.mydomain.com/2013-06-21.log'
[13:39:28] Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:31] Filter node evaluation result; filter_result='not-match'
[13:39:33] Filter rule evaluation result; filter_result='not-match',
filter_rule='f_netscaler'
[13:39:35] Filter rule evaluation begins; filter_rule='f_comware'
[13:39:37] Filter node evaluation result; filter_result='match'
[13:39:39] Filter rule evaluation result; filter_result='match',
filter_rule='f_comware'
[13:39:41] ^CTermination requested via signal, terminating;
[13:39:43] syslog-ng shutting down; version='3.1.3'
#logs in /var/log/remote/lb2z2ae1.mydomain.com
Jun 21 20:23:34 lb2z2ae1.mydomain.com 20:23:34 GMT lb2z2ae1 0-PPE-3 : UI
CMD_EXECUTED 28261 0 : User nsroot - Remote_ip x.x.x.x - Command "show
service GL-AE1-2AZ1-DB0001_9191" - Status "Success"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130624/f99cb8f0/attachment.htm
More information about the syslog-ng
mailing list