<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
That is *exactly* what I am doing, no?<br><br>log { source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final); };<br># above catches inbound, from a remote host udp only, with pattern matching F_mailservers, sending it down the path of D_mailservers.<br><br>log { source(S_udp); destination(D_udp);};<br># The above is a catchall, nothing seems to go into here.<br><br>???<br><br>.vp<br><br>> From: Joe.Fegan@hp.com<br>> To: syslog-ng@lists.balabit.hu<br>> Date: Thu, 8 May 2008 17:44:53 +0000<br>> Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended<br>> <br>> It's usually best to put the "always do this" rules first and the "stop if this rule is matched" rules afterwards. Syslog-ng works down the list of rules from the top like this pseudo-code:<br>> <br>> foreach rule in ruleslist {<br>> if (message matches rule) {<br>> send message down this path<br>> if (rule has flags(final) in it) {<br>> break<br>> }<br>> }<br>> }<br>> <br>> So if a flags(final) rule gets satisfied then no subsequent rule will even be evaluated.<br>> <br>> <br>> -----Original Message-----<br>> From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Geller, Sandor (IT)<br>> Sent: 08 May 2008 18:05<br>> To: 'Syslog-ng users' and developers' mailing list'<br>> Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended<br>> <br>> Hi,<br>> <br>> > My problems lie with the other filters, the ones at the end:<br>> ><br>> > filter F_edge { host("edge*") or host("122.21.*"); };<br>> > filter F_router { host("gw*") or host("rtr") or host("mmsc"); };<br>> > filter F_switch { host("sw*") or host("sw1") or host("sw2"); };<br>> > filter F_firewall { host("^fw*") or host("^mlm*-*") or<br>> > host("^cm*"); };<br>> > filter F_dc { host("^mydc*") or host("^dc*"); };<br>> > filter F_accesspoints { host("^melanie*"); };<br>> > filter F_mailservers { host("^mail*") or host("^smtpgw*"); };<br>> > filter F_proxies { host("^proxygw*"); };<br>> > filter F_InternetIP { host("161.17.10.*"); };<br>> ><br>> > The above, based on the filter rule for F_mailservers, should<br>> > place anything coming in from a host named mailserver1, or<br>> > smtpgw1 into destination D_mailservers, which in turn should<br>> > save logs into file named<br>> > /var/log/MyHosts/MailServers/$FULLHOST.log. Instead I find<br>> > those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which<br>> > is really<br>> > /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.m<br>> > ycorp.net.log)<br>> <br>> It would be nice to see at least a log entry from the file. BTW<br>> how did the hostname appear twice in the destination filename?<br>> Either I overlooked something or you're not using exactly the<br>> same config you sent.<br>> <br>> > I need to figure out a way to write the differences for hosts<br>> > that begin with pattern xxx (^xxx)? and those with xxx at the<br>> > end (*xxx) and those with xxx in the middle (*xxx)?, and for<br>> > the life of me, I can't fifure out why the above is sending<br>> > into Switches :-(<br>> <br>> You've anchors in your filter regexps already. "^xxx", "xxx$",<br>> ".xxx." are what you need if I understand you correctly.<br>> <br>> Regards,<br>> <br>> Sandor<br>> ______________________________________________________________________________<br>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>> FAQ: http://www.campin.net/syslog-ng/faq.html<br>> <br>> ______________________________________________________________________________<br>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>> FAQ: http://www.campin.net/syslog-ng/faq.html<br>> <br></body>
</html>