Hi Thanx Sandor. Your suggestions solved the problem. I think I misunderstand something: When a message is received and the filter statement is host(something). Does the filter parse the message to look for the string or matches the message based on the server that sent the message? TIA Paolo --- Sandor Geller <wildy@balabit.hu> wrote:
Paolo Supino wrote:
Hi
I've installed syslog-ng 1.6.8 on a Linux FC4 system to act as a centeralized logging server. For a while everything was fine, until I tried to add another statement to one of the filters. After the addition syslog-ng started writing the destination files in the wrong places, writing the same file in 2 locations and ignoring messages sent from certain origins.
Which filter is causing your problems?
# destinations destination d_switch { file("/var/log/company/switches/$HOST.log" perm(0644)); }; destination d_edge { file("/var/log/company/edge_devices/$HOST.log" perm(0644)); }; destination d_fw { file("/var/log/company/firewalls/$HOST.log" perm(0644)); }; destination d_router { file("/var/log/company/routers/$HOST.log" perm(0644)); };
Use the $FULLHOST macro, not just $HOST
# filters filter f_edge { host("edge*") or host("10.10.*"); }; filter f_router { host("3600-primary") or host("backbone-3550") or host("secondary-3550"); }; filter f_switch { host("sw*") or host("backbone-5510") or host(pp8600*); }; filter f_fw { host("fw*"); };
You should check your hostnames, whether they contain your filter patterns. I suggest using "^edge.*"-style regexp, this is more precise than "edge*". I suspect your fully qualified hostnames contain somewhere the "fw" or the "sw" strings.
# wrap everything up log { source(s_net); filter(f_switch); destination(d_switch); }; log { source(s_net); filter(f_router); destination(d_router); }; log { source(s_net); filter(f_edge); destination(d_edge); }; log { source(s_net); filter(f_fw); destination(d_fw); };
Consider using the "final" flag in your log sections, this can improve the performance of syslog-ng, but be aware that if sou use final, then the order of your log sections does matter!
-- Sandor Geller wildy@balabit.hu _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
__________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/