On Mon, Oct 03, 2005 at 10:41:22AM +1300, Jason Haar wrote:
catenate wrote:
Has anyone any idea about this? It looks to me that regex don't work on the "host()" options at all. I have mine set to a regex, and it's capturing all sorts of traffic from other syslog clients that don't match :-(
Remove the backslashes before the hyphens - you'd only need to do that inside a character class, e.g. [a-z\-] to match any of a through z and hyphen. Outside a character class it means itself (or if it's the first character in a character class and not escaped, like this [-a-z]).
Didn't help I'm afraid. I've got
But it was still an incorrect regexp.
host ("-ids-")
and it's still picking up data from boxes who don't contain "-ids-" in their hostname.
One thing I didn't mention is that all the incorrect hosts being picked up have their syslogs "routed" through another syslog-ng server running on a host that does match "-ids-", could that be a cause?
So what do the log entries look like, do you have chained hostnames or is it replaced with the relaying host? Paste in a couple entries that are logged incorrectly. -- Nate "Man is the only animal that blushes. Or needs to." - Samuel Clemens