<div dir="ltr">Balazs, thanks for your help, I really thought that host() wore literal ip address.<div><br></div><div>I'll try to adapt my filters to regexps pattern.</div></div><div class="gmail_extra"><br clear="all">
<div><div><br></div><div>---</div>Renato Bezerra</div>
<br><br><div class="gmail_quote">2014-07-18 7:05 GMT-03:00 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Please note that by default host() uses regexps where the '.' matches any character.<br></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Thu, Jul 17, 2014 at 9:31 PM, Renato Bezerra <span dir="ltr"><<a href="mailto:renatobamorim@gmail.com" target="_blank">renatobamorim@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Jakub,<div><br></div><div>Thanks for the fast reply. I have others conf files, each one to a different device type that I include on main configuration (just for organization), all confs are based on "host" filter.</div>
<div><br></div><div>The source is a tcp class on my main configuration, if you judge necessary I can send the others confs, but on none of then i put this ip address on filters.</div><div><br></div><div><br></div></div><div class="gmail_extra">
<br clear="all"><div><div><br></div><div>---</div>Renato Bezerra</div>
<br><br><div class="gmail_quote">2014-07-17 16:16 GMT-03:00 Jakub Jankowski <span dir="ltr"><<a href="mailto:shasta@toxcorp.com" target="_blank">shasta@toxcorp.com</a>></span>:<div><div><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>On 17.07.2014 21:09, Renato Bezerra wrote:<br>
> Hi,<br>
><br>
> I'm using syslog-ng in a long time, but recently i noted that, in some<br>
> cases, the log has sent to a wrong destination.<br>
><br>
> I have many devices sending logs to my host, the problem appears when<br>
> the server receive webservers logs, they are delivered to a different<br>
> destination and I don't known how.<br>
><br>
> here is the configuration:<br>
><br>
> destination apache {<br>
> file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR"<br>
> owner(ll)<br>
> group(ll)<br>
> perm(0644)<br>
> dir_perm(0755)<br>
> create_dirs(yes));<br>
> };<br>
><br>
> filter f_apache {<br>
> (<br>
> host("xxx.xxx.xxx.82") or<br>
> host("xxx.xxx.xxx.137")<br>
> );<br>
> };<br>
><br>
> log {<br>
> source(aaa);<br>
> filter(f_apache);<br>
> destination(apache);<br>
> };<br>
><br>
> The ip address xxx.xxx.xxx.137 send a duplicate log event to another<br>
> directory, without any other configuration.<br>
><br>
> Have you seen this?<br>
<br>
</div></div>Well, is that your *entire* configuration? I very much doubt so. You<br>
should post the entire config, not just this snippet. How are we<br>
supposed to know what this "another directory" is, and what filtering<br>
you apply in the log {} block that sends logs to it?<br>
<span><font color="#888888"><br>
<br>
<br>
J.<br>
<br>
<br>
--<br>
Jakub Jankowski|<a href="mailto:shasta@toxcorp.com" target="_blank">shasta@toxcorp.com</a>|<a href="http://toxcorp.com/" target="_blank">http://toxcorp.com/</a><br>
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</font></span></blockquote></div></div></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Bazsi
</font></span></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>