<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3354" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=191330901-11072008><FONT face=Arial
color=#0000ff size=2>Your regular expressions do look ok - I tested them
interactively in tclsh and the "wireless" one does match hostr01.w01.primary
while the "router" one does not. So this does seems like a syslog-ng
oddity.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=191330901-11072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=191330901-11072008><FONT face=Arial
color=#0000ff size=2>fegan> tclsh<BR>% set hn
{hostr01.w01.primary}<BR>hostr01.w01.primary<BR>%<BR>% set router
{^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$}<BR>^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$<BR>%<BR>%
regexp $router $hn<BR>0<BR>%<BR>% set wireless
{^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$}<BR>^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$<BR>%<BR>%
regexp $wireless $hn<BR>1<BR>% exit<BR>fegan><BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=191330901-11072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=191330901-11072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><FONT face=Arial color=#0000ff
size=2></FONT><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>James
Whitt<BR><B>Sent:</B> 10 July 2008 22:53<BR><B>To:</B> Syslog-ng users' and
developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] Using Regex
information for destination<BR></FONT><BR></DIV>
<DIV></DIV>I just noticed an issues with my filter using regex, so I'm hoping
that someone can help me figure this out. I'm running version <A
href="http://2.0.9.">2.0.9.</A> I have internal hostnames that I use with
a central log system. The issue is that if I use a host
like:<BR><BR>hostr01.w01.primary<BR><BR>It should go to
/logs/primary/wireless/hostr01.r01.primary/, but if the router filter is above
the wireless filter, the it's actually going into
/logs/primary/wireless/hostr01.r01.primary/. It appears to be ignoring or
matching the . even thought I have it with a \.. Any help with this would
be greatly appreciated. If I didn't have the final(), it would log to both
places.<BR><BR><BR>Here is the snippet of the config that deals with
this.<BR><BR><BR>filter router_filter {
host("^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$"); };<BR>destination
router_logs {<BR>
file("/logs/$1/router/$HOST/$YEAR-$MONTH-$DAY.log");<BR>};<BR>log {
source(s_external);<BR>
filter(router_filter);<BR>
destination(router_logs);<BR>
flags(final);<BR>};<BR><BR><BR>filter wireless_filter {
host("^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$"); };<BR>destination
wireless_logs {<BR>
file("/logs/$1/wireless/$HOST/$YEAR-$MONTH-$DAY.log");<BR>};<BR>log {
source(s_external);<BR>
filter(wireless_filter);<BR>
destination(wireless_logs);<BR>
flags(final);<BR>};<BR><BR></BODY></HTML>