<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Joe;<br><br>Many thanks for the fast reply!<br> <br>My problems lie with the other filters, the ones at the end:<br><br>filter F_edge {
host("edge*") or host("122.21.*"); };<br>filter
F_router { host("gw*") or host("rtr") or
host("mmsc"); };<br>filter F_switch {
host("sw*") or host("sw1") or host("sw2"); };<br>filter
F_firewall { host("^fw*") or host("^mlm*-*") or
host("^cm*"); };<br>filter
F_dc {
host("^mydc*") or host("^dc*"); };<br>filter F_accesspoints { host("^melanie*");
};<br>filter F_mailservers { host("^mail*") or host("^smtpgw*");
};<br>filter F_proxies { host("^proxygw*");
};<br>filter F_InternetIP { host("161.17.10.*");
};<br><br>The above, based on the filter rule for F_mailservers, should place anything coming in from a host named mailserver1, or smtpgw1 into destination D_mailservers, which in turn should save logs into file named /var/log/MyHosts/MailServers/$FULLHOST.log. Instead I find those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which is really /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.mycorp.net.log)<br><br>I need to figure out a way to write the differences for hosts that begin with pattern xxx (^xxx)? and those with xxx at the end (*xxx) and those with xxx in the middle (*xxx)?, and for the life of me, I can't fifure out why the above is sending into Switches :-(<br><br>Sorry if I am confusing this matter, and the reason for the overcomplication on my config is largely due to me being very new at this great tool.<br><br>Thanks!<br><br>.vp<br><br><blockquote><hr>From: Joe.Fegan@hp.com<br>To: syslog-ng@lists.balabit.hu<br>Date: Thu, 8 May 2008 16:08:03 +0000<br>Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .EC_hmmessage P
{padding-right:0px;padding-left:0px;padding-bottom:0px;padding-top:0px;}
.ExternalClass BODY.EC_hmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">Your config seems a bit odd and maybe overly complex.
Here's how I read it, please let us know if this is how you intend it to
work.</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">Your sources:</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">S_dgram = only messages from local processes that call
syslog()</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">S_internal = only internal messages from syslog-ng on this
node</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">S_kernel = only messages from the kernel on this
node</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">S_tcp = only TCP messages from other nodes</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">S_udp = only UDP messages from other
nodes</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">Your log paths tell syslog-ng to behave as:</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008">log { source(S_udp);
destination(D_db_mysql); };</span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">All UDP messages from other nodes should be sent to
mysql.</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font face="Arial">log {
source(S_udp); destination(D_sec); };</font></span></div><font color="#0000ff" face="Arial"></font>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">All UDP messages from other nodes should be sent to
D_sec.</font></span></div>
<div><font color="#0000ff" face="Arial"></font> </div>
<div><font color="#0000ff" face="Arial"><font color="#000000">log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_auth); destination(D_authlog);
flags(final); };</font><br>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">All messages matching F_auth and coming either from local
syslog(), local syslog-ng internal or via TCP from other nodes (but
not via UDP) should be sent to D_authlog. If you send a message down this
path then don't bother evaluating any other
paths.</font></span></div></font></div>
<div><font color="#0000ff" face="Arial"><font color="#000000"></font></font> </div>
<div><font color="#0000ff" face="Arial"><font color="#000000">log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_local7);
destination(D_bootlog); flags(final); };</font><br>
</font><div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"><font color="#0000ff" face="Arial"></font></font></span><font color="#0000ff" face="Arial"> </font></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial"><font color="#0000ff" face="Arial">All messages matching F_local7 and coming either from
local syslog(), local syslog-ng internal or via TCP from other nodes
(but not via UDP) should be sent to D_bootlog. If you send a message down
this path then don't bother evaluating any other paths.</font></font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"></span><font color="#0000ff" face="Arial"> </font></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"><font color="#0000ff" face="Arial">Then there's a bunch of
other log paths in the same vein.</font></span></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"></span><font color="#0000ff" face="Arial"> </font></div>
<div dir="ltr" align="left"><span class="EC_390175515-08052008"></span><font color="#0000ff" face="Arial"> </font></div></div>
<div><br></div>
<div class="EC_OutlookMessageHeader" dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma"><b>From:</b> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <b>On Behalf Of
</b>wiskbroom@hotmail.com<br><b>Sent:</b> 08 May 2008 15:13<br><b>To:</b>
Syslog-ng users' and developers' mailing list<br><b>Subject:</b> [syslog-ng]
Problems With Filter Rules - Using First Rule, Not One
Intended<br></font><br></div>
<div></div>
<p class="EC_MsoNormal">Greetings;<br><br>My setup works well with one exception, my
filtering rules contained in my syslog-ng.conf do not appear to work
properly. My logs are not lost, instead they end up in a directory which I
did not intend them to be in. <br><br>Background: I log to a MySql DB, flatfiles
and finally, to SEC, which parses stuff and takes various actions (almost
working ;-)<br></p>
<p class="EC_MsoNormal"><br>For ease of reading, I will simply add the contents of my
config file which pertains to just one filter.</p>
<p class="EC_MsoNormal">Many thanks in advance for taking the time to read and help
me.<br><br>.vp<br></p>
<p class="EC_MsoNormal"><br>############<br># OPTIONS
#<br>############<br><br>options<br> {<br>
chain_hostnames(no);<br> create_dirs
(yes);<br> dir_perm(0755);<br> use_dns
(yes);<br> dns_cache(yes);<br>
dns_cache_size(1000);<br>
dns_cache_expire(604800);<br>
keep_hostname(yes);<br>
log_fifo_size(10000);<br>
log_msg_size(8192);<br>
long_hostnames(on);<br> perm(0644);<br>
stats(3600);<br> sync(0);<br> time_reopen
(10);<br> use_dns(yes);<br>
use_fqdn(yes);<br> };<br><br>############<br>#
SOURCES #<br>############<br><br>source
S_dgram<br> { unix-dgram("/dev/log"); };<br><br>source
S_internal<br> { internal(); };<br><br>source S_kernel<br> {
file("/proc/kmsg" log_prefix("kernel: ")); };<br><br>source S_tcp<br> {
tcp(port(4800) keep-alive(yes) max_connections(100)); };<br><br>source S_udp {
udp(ip("0.0.0.0") port(514)); };<br><br>###############<br># DEST SQL
DB
#<br>###############<br><br>destination D_db_mysql
{<br>
pipe("/var/log/mysql.pipe"<br>
template("INSERT INTO
logs<br>
(host, facility, priority, level, tag, datetime, program,
msg)<br>
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC',<br>
'$PROGRAM', '$MSG' );\n")
template-escape(yes));<br>};<br><br>##############<br>#
DESTINATIONS #<br>##############<br><br>destination
D_authlog { file("/var/log/auth.log");
};<br>destination D_bootlog {
file("/var/log/boot.log"); };<br>destination
D_debug {
file("/var/log/debug"); };<br>destination
D_explan {
file("/var/log/explanations"); };<br>destination D_messages {
file("/var/log/messages"); };<br>destination
D_secure { file("/var/log/secure");
};<br>destination D_spooler {
file("/var/log/spooler"); };<br>destination
D_syslog { file("/var/log/syslog");
};<br>destination
D_user {
file("/var/log/user.log"); };<br><br>destination
D_switch {
file("/var/log/MyHosts/Switches/$FULLHOST.log"<br>
perm(0644)); };<br>destination
D_edge {
file("/var/log/MyHosts/EdgeDevices/$FULLHOST.log"<br>
perm(0644)); };<br>destination D_firewall {
file("/var/log/MyHosts/Firewalls/$FULLHOST.log"<br>
owner(root) group(root) perm(0644) dir_perm(0700) create_dirs(yes));
};<br>destination D_router {
file("/var/log/MyHosts/Routers/$FULLHOST.log"<br>
perm(0644)); };<br>destination D_accesspoints {
file("/var/log/MyHosts/AccessPoints/$FULLHOST.log"<br>
perm(0644)); };<br>destination D_mailservers {
file("/var/log/MyHosts/MailServers/$FULLHOST.log"<br>
perm(0644)); };<br><br>###########<br>#
FILTERS
#<br>###########<br><br>filter
F_auth { facility(auth,
authpriv); };<br>filter
F_authpriv { facility(authpriv);
};<br>filter
F_cron { facility(cron);
};<br>filter
F_daemon { facility(daemon);
};<br>filter
F_kern { facility(kern);
};<br>filter
F_local1 { facility(local1);
};<br>filter
F_local2 { facility(local2);
};<br>filter
F_local3 { facility(local3);
};<br>filter
F_local4 { facility(local4);
};<br>filter
F_local5 { facility(local5);
};<br>filter
F_local6 { facility(local6);
};<br>filter
F_local7 { facility(local7);
};<br>filter
F_lpr { facility(lpr);
};<br>filter
F_mail { facility(mail);
};<br>filter F_messages {
facility(daemon, kern, user); };<br>filter
F_news { facility(news);
};<br>filter
F_spooler { facility(uucp,news) and level(crit);
};<br>filter
F_syslog { not facility(auth, authpriv) and
not facility(mail); };<br>filter
F_user { facility(user);
};<br><br>filter
F_crit { level(crit);
};<br>filter
F_debug { level(debug);
};<br>filter F_emergency {
level(emerg); };<br>filter
F_err { level(err);
};<br>filter
F_info { level(info);
};<br>filter
F_notice { level(notice);
};<br>filter
F_warn { level(warn);
};<br><br>filter F_edge {
host("edge*") or host("122.21.*"); };<br>filter
F_router { host("gw*") or host("rtr") or
host("mmsc"); };<br>filter F_switch {
host("sw*") or host("sw1") or host("sw2"); };<br>filter
F_firewall { host("^fw*") or host("^mlm*-*") or
host("^cm*"); };<br>filter
F_dc {
host("^mydc*") or host("^dc*"); };<br>filter F_accesspoints { host("^melanie*");
};<br>filter F_mailservers { host("^mail*") or host("^smtpgw*");
};<br>filter F_proxies { host("^proxygw*");
};<br>filter F_InternetIP { host("161.17.10.*");
};<br><br>##############<br>#
LOGS
#<br>##############<br><br>log { source(S_udp); destination(D_db_mysql);
};<br><br># Send ALL logs to SEC<br><br># log { source(S_dgram);
source(S_internal); source(S_tcp); filter(F_auth); destination(D_sec);
};<br><br># log { source(S_udp); source(S_tcp); destination(D_sec);
};<br><br>log { source(S_udp); destination(D_sec); };<br><br>###<br><br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_auth); destination(D_authlog);
flags(final); };<br>log { source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_local7);
destination(D_bootlog); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_local1);
destination(D_explan); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_local5);
destination(D_router); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_messages);
destination(D_messages); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_authpriv);
destination(D_secure); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp); filter(F_spooler);
destination(D_spooler); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_kernel);<br>
source(S_tcp); filter(F_syslog);
destination(D_syslog); flags(final); };<br>log {
source(S_dgram);<br>
source(S_internal);<br>
source(S_tcp);
filter(F_user); destination(D_user); flags(final);
};<br><br>log { source(S_dgram);<br>
source(S_internal);<br>
source(S_kernel);<br>
source(S_tcp);
destination(D_hosts); flags(final); };<br><br>log { source(S_udp);
filter(F_switch); destination(D_switch); flags(final); };<br>log {
source(S_udp); filter(F_firewall); destination(D_firewall); flags(final);
};<br>log { source(S_udp); filter(F_router); destination(D_router);
flags(final); };<br>log { source(S_udp); filter(F_edge); destination(D_edge);
flags(final); };<br>log { source(S_udp); filter(F_dc); destination(D_dc);
flags(final); };<br>log { source(S_udp); filter(F_accesspoints);
destination(D_accesspoints); flags(final); };<br>log { source(S_udp);
filter(F_proxies); destination(D_proxies); flags(final); };<br>log {
source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final);
};<br><br>log { source(S_udp); destination(D_udp);};<br><br><br><!--[if
!supportLineBreakNewLine]--><br><!--[endif]--></p>
</blockquote></body>
</html>