Your regular expressions do look ok - I tested them
interactively in tclsh and the "wireless" one does match hostr01.w01.primary
while the "router" one does not. So this does seems like a syslog-ng
oddity.
fegan> tclsh
% set hn
{hostr01.w01.primary}
hostr01.w01.primary
%
% set router
{^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$}
^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$
%
%
regexp $router $hn
0
%
% set wireless
{^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$}
^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$
%
%
regexp $wireless $hn
1
% exit
fegan>
I just noticed an issues with my filter using regex, so I'm hoping
that someone can help me figure this out. I'm running version 2.0.9. I have internal hostnames that I use with
a central log system. The issue is that if I use a host
like:
hostr01.w01.primary
It should go to
/logs/primary/wireless/hostr01.r01.primary/, but if the router filter is above
the wireless filter, the it's actually going into
/logs/primary/wireless/hostr01.r01.primary/. It appears to be ignoring or
matching the . even thought I have it with a \.. Any help with this would
be greatly appreciated. If I didn't have the final(), it would log to both
places.
Here is the snippet of the config that deals with
this.
filter router_filter {
host("^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$"); };
destination
router_logs {
file("/logs/$1/router/$HOST/$YEAR-$MONTH-$DAY.log");
};
log {
source(s_external);
filter(router_filter);
destination(router_logs);
flags(final);
};
filter wireless_filter {
host("^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$"); };
destination
wireless_logs {
file("/logs/$1/wireless/$HOST/$YEAR-$MONTH-$DAY.log");
};
log {
source(s_external);
filter(wireless_filter);
destination(wireless_logs);
flags(final);
};