<div dir="ltr">I probably need lb.* but that isn't really the point as the lb one is matching the comware filter and there is no way that name matches anything in the comware filter regex.</div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Jun 24, 2013 at 2:04 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Are you sure you wanted lb*? It matches lb, lbb,lbbb and so on with ever increasing b-s.<br>
</p>
<div class="gmail_quote"><div><div class="h5">On Jun 24, 2013 11:01 PM, "Orangepeel Beef" <<a href="mailto:orangepeelbeef@gmail.com" target="_blank">orangepeelbeef@gmail.com</a>> wrote:<br type="attribution">
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div dir="ltr"><div>I've got some strange problems with trying to use the syslog-ng host filter. It seems that every logline matches the filter f_comware but none of them match f_netscaler. It makes very little sense to me. Reverse dns is working as the logs that end up in /var/log/remote have the correct hostname being logged from the $HOST template.</div>
<div><br></div><div>I have a second issue that SEC does not die when syslog-ng is restarted. (I have used this setup in the past and have had no problems, but i suppose things may have changed in both syslog-ng and sec since the last time)</div>
<div><br></div><div>This is driving me crazy.. please help ;) </div><div><br></div><div><br></div><div>#config</div><div><br></div><div><br></div><div>@version: 3.1</div><div>#</div><div>
# Syslog-ng configuration file, compatible with default Debian syslogd</div><div><br></div><div># First, set some global options.</div><div>options { long_hostnames(on); flush_lines(0); use_dns(yes); use_fqdn(yes);</div>
<div>
owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000); dns_cache_expire(21600);</div><div>dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000); create_dirs(yes);</div>
<div>bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);</div><div>};</div><div><br></div><div><div>source s_remote { udp();tcp(); };</div></div><div><br></div><div><div>destination d_remote { file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div>
<div><br></div><div>destination d_netscaler { program("/usr/local/sbin/sec_netscaler" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div><div><br></div><div>destination d_comware { program("/usr/local/sbin/sec_comware" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div>
<div><br></div><div><br></div><div><div>filter f_netscaler { host("lb*<a href="http://ae1.mydomain.com" target="_blank">ae1.mydomain.com</a>"); };</div><div>filter f_comware { host("(as|cs|r)*<a href="http://ae1.mydomain.com" target="_blank">ae1.mydomain.com</a>"); };</div>
</div></div><div><br></div><div><div>log { source(s_remote); destination(d_remote); };</div></div><div><div>log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };</div><div>log { source(s_remote); filter(f_comware); destination(d_comware); };</div>
</div><div><br></div><div><br></div><div>#debug logs</div><div><div>[13:38:54] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div><div>[13:38:56] Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'</div>
<div>[13:38:58] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:00] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:02] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:04] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:06] Filter node evaluation result; filter_result='match'</div><div>[13:39:08] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:10] Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'</div>
<div>[13:39:12] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:14] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:16] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:18] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:20] Filter node evaluation result; filter_result='match'</div><div>[13:39:22] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:24] Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 : User nsroot - Remote_ip x.x.x.x - Command "login nsroot "********"" - Status "Success"'</div>
<div>[13:39:26] Initializing destination file writer; template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log', filename='/var/log/remote/<a href="http://lb1o1ae1.mydomain.com/2013-06-21.log" target="_blank">lb1o1ae1.mydomain.com/2013-06-21.log</a>'</div>
<div>[13:39:28] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:31] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:33] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:35] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:37] Filter node evaluation result; filter_result='match'</div><div>[13:39:39] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:41] ^CTermination requested via signal, terminating;</div><div>[13:39:43] syslog-ng shutting down; version='3.1.3'</div></div><div><br></div><div><br></div><div>#logs in /var/log/remote/<a href="http://lb2z2ae1.mydomain.com" target="_blank">lb2z2ae1.mydomain.com</a></div>
<div>Jun 21 20:23:34 <a href="http://lb2z2ae1.mydomain.com" target="_blank">lb2z2ae1.mydomain.com</a> 20:23:34 GMT lb2z2ae1 0-PPE-3 : UI CMD_EXECUTED 28261 0 : User nsroot - Remote_ip x.x.x.x - Command "show service GL-AE1-2AZ1-DB0001_9191" - Status "Success"<br>
</div></div>
<br></div></div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>