[syslog-ng] Logs sent to wrong destination

Balazs Scheidler bazsi77 at gmail.com
Fri Jul 18 12:05:06 CEST 2014 

Please note that by default host() uses regexps where the '.' matches any
character.


On Thu, Jul 17, 2014 at 9:31 PM, Renato Bezerra <renatobamorim at gmail.com>
wrote:

> Hi Jakub,
>
> Thanks for the fast reply. I have others conf files, each one to a
> different device type that I include on main configuration (just for
> organization), all confs are based on "host" filter.
>
> The source is a tcp class on my main configuration, if you judge necessary
> I can send the others confs, but on none of then i put this ip address on
> filters.
>
>
>
>
> ---
> Renato Bezerra
>
>
> 2014-07-17 16:16 GMT-03:00 Jakub Jankowski <shasta at toxcorp.com>:
>
> On 17.07.2014 21:09, Renato Bezerra wrote:
>> > Hi,
>> >
>> > I'm using syslog-ng in a long time, but recently i noted that, in some
>> > cases, the log has sent to a wrong destination.
>> >
>> > I have many devices sending logs to my host, the problem appears when
>> > the server receive webservers logs, they are delivered to a different
>> > destination and I don't known how.
>> >
>> > here is the configuration:
>> >
>> > destination apache {
>> >         file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR"
>> >         owner(ll)
>> >         group(ll)
>> >         perm(0644)
>> >         dir_perm(0755)
>> >         create_dirs(yes));
>> > };
>> >
>> > filter f_apache {
>> >      (
>> >          host("xxx.xxx.xxx.82") or
>> >          host("xxx.xxx.xxx.137")
>> >      );
>> > };
>> >
>> > log {
>> >      source(aaa);
>> >      filter(f_apache);
>> >      destination(apache);
>> > };
>> >
>> > The ip address xxx.xxx.xxx.137 send a duplicate log event to another
>> > directory, without any other configuration.
>> >
>> > Have you seen this?
>>
>> Well, is that your *entire* configuration? I very much doubt so. You
>> should post the entire config, not just this snippet. How are we
>> supposed to know what this "another directory" is, and what filtering
>> you apply in the log {} block that sends logs to it?
>>
>>
>>
>> J.
>>
>>
>> --
>> Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
>> GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>


-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140718/34909dd8/attachment.htm

More information about the syslog-ng mailing list