On Thu, 2009-02-12 at 15:33 -0500, Chris Bland wrote:
Hi guys,
I am having a problem filtering based on ip address. My predecessor had a config file with over 240 hosts. I just upgraded to 2.0.10-1 and starting getting YACC overflow stack errors.
This was reported a couple of weeks ago, and the reason for stack overflows seem to be using traditional "yacc" instead of bison. Try recompiling syslog-ng with bison or search the archives for a yacc specific solution, then these errors would be gone. On the other hand it certainly is better to have a smaller configuration file.
I condensed the config file by using regex. If I stop using DNS everything works fine. What I am trying to do is filter based on ip address and have each log stored in a directory with the servers dns name. My config looks like this
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); keep_hostname (yes); use_dns (yes); use_fqdn (no); create_dirs (no); };
destination servers { file("/var/log/syslog-ng/hosts/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY" owner(root) group(staff) perm(0650) dir_perm(0750) create_dirs(yes)); };
destination teaneck { file("/var/log/syslog-ng/network/TEANECK/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
owner(root) group(staff) perm(0650) dir_perm(0750) create_dirs(yes)); };
destination dslswitches { file("/var/log/syslog-ng/network/TEANECK/Dslswitches/$HOST_FROM/$YEAR/$MONTH/$YEAR-$MONTH-$DAY" owner(root) group(staff) perm(0650) dir_perm(0750) create_dirs(yes)); };
filter f_teaneck { netmask("132.238.11.0/24"); }; filter f_usas { host("132.238.(7|8).*$"); }; filter f_dslswitches { host("132.238.21.40"); };
log { source(s_network); filter(f_usas); destination(servers); }; log { source(s_network); filter(f_teaneck); destination(teaneck); }; log { source(s_network); filter(f_dslswitches); destination(dslswitches); };
The netmask filters work by my host filters don't
Please note that the host() filter checks the hostname portion of the syslog message and thus it may or may not have any connection with the sender IP address. The hostname can also be changed by syslog-ng, but as I see you have set keep_hostname() to yes, so the hostname will be the name supplied by the original system, or if there was no name at all, syslog-ng will generate one based on its IP address. The netmask filter always checks the _sender_ IP address. If you have relays it almost certainly will be different from the end system. So to find out why your host() filter does not work, first you need to check what your $HOST field contains. If it really is an IP address, then you should check whether the regexp matches it. -- Bazsi