<div dir="ltr"><div style>I've got some strange problems with trying to use the syslog-ng host filter. It seems that every logline matches the filter f_comware but none of them match f_netscaler. It makes very little sense to me. Reverse dns is working as the logs that end up in /var/log/remote have the correct hostname being logged from the $HOST template.</div>
<div style><br></div><div style>I have a second issue that SEC does not die when syslog-ng is restarted. (I have used this setup in the past and have had no problems, but i suppose things may have changed in both syslog-ng and sec since the last time)</div>
<div style><br></div><div style>This is driving me crazy.. please help ;) </div><div style><br></div><div style><br></div><div style>#config</div><div style><br></div><div><br></div><div>@version: 3.1</div><div>#</div><div>
# Syslog-ng configuration file, compatible with default Debian syslogd</div><div><br></div><div># First, set some global options.</div><div>options { long_hostnames(on); flush_lines(0); use_dns(yes); use_fqdn(yes);</div><div>
owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000); dns_cache_expire(21600);</div><div>dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000); create_dirs(yes);</div>
<div>bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);</div><div>};</div><div><br></div><div><div>source s_remote { udp();tcp(); };</div></div><div><br></div><div><div>destination d_remote { file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div>
<div><br></div><div>destination d_netscaler { program("/usr/local/sbin/sec_netscaler" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div><div><br></div><div>destination d_comware { program("/usr/local/sbin/sec_comware" template("$R_DATE $HOST $MSG\n") template_escape(no)); };</div>
<div><br></div><div><br></div><div><div>filter f_netscaler { host("lb*<a href="http://ae1.mydomain.com">ae1.mydomain.com</a>"); };</div><div>filter f_comware { host("(as|cs|r)*<a href="http://ae1.mydomain.com">ae1.mydomain.com</a>"); };</div>
</div></div><div><br></div><div><div>log { source(s_remote); destination(d_remote); };</div></div><div><div>log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };</div><div>log { source(s_remote); filter(f_comware); destination(d_comware); };</div>
</div><div><br></div><div><br></div><div style>#debug logs</div><div style><div>[13:38:54] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div><div>[13:38:56] Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'</div>
<div>[13:38:58] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:00] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:02] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:04] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:06] Filter node evaluation result; filter_result='match'</div><div>[13:39:08] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:10] Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'</div>
<div>[13:39:12] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:14] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:16] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:18] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:20] Filter node evaluation result; filter_result='match'</div><div>[13:39:22] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:24] Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 : User nsroot - Remote_ip x.x.x.x - Command "login nsroot "********"" - Status "Success"'</div>
<div>[13:39:26] Initializing destination file writer; template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log', filename='/var/log/remote/<a href="http://lb1o1ae1.mydomain.com/2013-06-21.log">lb1o1ae1.mydomain.com/2013-06-21.log</a>'</div>
<div>[13:39:28] Filter rule evaluation begins; filter_rule='f_netscaler'</div><div>[13:39:31] Filter node evaluation result; filter_result='not-match'</div><div>[13:39:33] Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'</div>
<div>[13:39:35] Filter rule evaluation begins; filter_rule='f_comware'</div><div>[13:39:37] Filter node evaluation result; filter_result='match'</div><div>[13:39:39] Filter rule evaluation result; filter_result='match', filter_rule='f_comware'</div>
<div>[13:39:41] ^CTermination requested via signal, terminating;</div><div>[13:39:43] syslog-ng shutting down; version='3.1.3'</div></div><div><br></div><div><br></div><div style>#logs in /var/log/remote/<a href="http://lb2z2ae1.mydomain.com">lb2z2ae1.mydomain.com</a></div>
<div style>Jun 21 20:23:34 <a href="http://lb2z2ae1.mydomain.com">lb2z2ae1.mydomain.com</a> 20:23:34 GMT lb2z2ae1 0-PPE-3 : UI CMD_EXECUTED 28261 0 : User nsroot - Remote_ip x.x.x.x - Command "show service GL-AE1-2AZ1-DB0001_9191" - Status "Success"<br>
</div></div>