although updating it to .* seems to have solved the issue...  

I had tried various iterations of regexes, and none of them worked as expected.  

So I guess there must be a bug in syslog-ng for the patterns i had entered, if it behaved as you noted (matched csssssssssssssss  and rrrrrrrrrrrrrr  and lbbbbbbbbbbbbbbbbbbbbb)

the lb logs would not have been matching the comware filter, but they were, and it wasn't just the lb logs, the comware filter matched pretty much any hostnames that i had.

But i guess for now i'm up and running





On Mon, Jun 24, 2013 at 2:24 PM, Orangepeel Beef <orangepeelbeef@gmail.com> wrote:
I probably need lb.*   but that isn't really the point as  the lb one is matching the comware filter and there is no way that name matches anything in the comware filter regex.


On Mon, Jun 24, 2013 at 2:04 PM, Balazs Scheidler <bazsi77@gmail.com> wrote:

Are you sure you wanted lb*? It matches lb, lbb,lbbb and so on with ever increasing b-s.

On Jun 24, 2013 11:01 PM, "Orangepeel Beef" <orangepeelbeef@gmail.com> wrote:
I've got some strange problems with trying to use the syslog-ng host filter.  It seems that every logline matches the filter f_comware but none of them match f_netscaler.  It makes very little sense to me.  Reverse dns is working as the logs that end up in /var/log/remote have the correct hostname being logged from the $HOST template.

I have a second issue that SEC does not die when syslog-ng is restarted.  (I have used this setup in the past and have had no problems, but i suppose things may have changed in both syslog-ng and sec since the last time)

This is driving me crazy.. please help ;) 


#config


@version: 3.1
#
# Syslog-ng configuration file, compatible with default Debian syslogd

# First, set some global options.
options { long_hostnames(on); flush_lines(0); use_dns(yes); use_fqdn(yes);
owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000); dns_cache_expire(21600);
dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000); create_dirs(yes);
bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);
};

source s_remote { udp();tcp(); };

destination d_remote { file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" template("$R_DATE $HOST $MSG\n") template_escape(no)); };

destination d_netscaler { program("/usr/local/sbin/sec_netscaler" template("$R_DATE $HOST $MSG\n") template_escape(no)); };

destination d_comware { program("/usr/local/sbin/sec_comware" template("$R_DATE $HOST $MSG\n") template_escape(no)); };


filter f_netscaler { host("lb*ae1.mydomain.com"); };
filter f_comware { host("(as|cs|r)*ae1.mydomain.com"); };

log { source(s_remote); destination(d_remote); };
log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };
log { source(s_remote); filter(f_comware); destination(d_comware); };


#debug logs
[13:38:54]  Filter rule evaluation result; filter_result='match', filter_rule='f_comware'
[13:38:56]  Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
[13:38:58]  Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:00]  Filter node evaluation result; filter_result='not-match'
[13:39:02]  Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'
[13:39:04]  Filter rule evaluation begins; filter_rule='f_comware'
[13:39:06]  Filter node evaluation result; filter_result='match'
[13:39:08]  Filter rule evaluation result; filter_result='match', filter_rule='f_comware'
[13:39:10]  Incoming log entry; line='<190>Jun 21 20:37:54 2013 R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
[13:39:12]  Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:14]  Filter node evaluation result; filter_result='not-match'
[13:39:16]  Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'
[13:39:18]  Filter rule evaluation begins; filter_rule='f_comware'
[13:39:20]  Filter node evaluation result; filter_result='match'
[13:39:22]  Filter rule evaluation result; filter_result='match', filter_rule='f_comware'
[13:39:24]  Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 :  User nsroot - Remote_ip x.x.x.x - Command "login nsroot "********"" - Status "Success"'
[13:39:26]  Initializing destination file writer; template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log', filename='/var/log/remote/lb1o1ae1.mydomain.com/2013-06-21.log'
[13:39:28]  Filter rule evaluation begins; filter_rule='f_netscaler'
[13:39:31]  Filter node evaluation result; filter_result='not-match'
[13:39:33]  Filter rule evaluation result; filter_result='not-match', filter_rule='f_netscaler'
[13:39:35]  Filter rule evaluation begins; filter_rule='f_comware'
[13:39:37]  Filter node evaluation result; filter_result='match'
[13:39:39]  Filter rule evaluation result; filter_result='match', filter_rule='f_comware'
[13:39:41]  ^CTermination requested via signal, terminating;
[13:39:43]  syslog-ng shutting down; version='3.1.3'


#logs in /var/log/remote/lb2z2ae1.mydomain.com
Jun 21 20:23:34 lb2z2ae1.mydomain.com 20:23:34 GMT lb2z2ae1 0-PPE-3 : UI CMD_EXECUTED 28261 0 :  User nsroot - Remote_ip x.x.x.x - Command "show service GL-AE1-2AZ1-DB0001_9191" - Status "Success"

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq