Here are some recent logs. May 8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<b.smith@nodomain.net>, relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44@ns2.someotherdomain.com> Queued mail for delivery) May 8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<m.jackson@nodomain.net>, relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44@ ns2.someotherdomain.com> Queued mail for delivery) May 8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<r.lindsay@nodomain.net>, relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44@ ns2.someotherdomain.com> Queued mail for delivery) May 8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net postfix/qmgr[13267]: [ID 197553 mail.info] BBBF66CB1E: removed I *believe* the double hostname is die to chain_hostnames=yes? Don't remember. Regards, .vp
From: Sandor.Geller@morganstanley.com To: syslog-ng@lists.balabit.hu Date: Thu, 8 May 2008 18:05:28 +0100 Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
Hi,
My problems lie with the other filters, the ones at the end:
filter F_edge { host("edge*") or host("122.21.*"); }; filter F_router { host("gw*") or host("rtr") or host("mmsc"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*") or host("^mlm*-*") or host("^cm*"); }; filter F_dc { host("^mydc*") or host("^dc*"); }; filter F_accesspoints { host("^melanie*"); }; filter F_mailservers { host("^mail*") or host("^smtpgw*"); }; filter F_proxies { host("^proxygw*"); }; filter F_InternetIP { host("161.17.10.*"); };
The above, based on the filter rule for F_mailservers, should place anything coming in from a host named mailserver1, or smtpgw1 into destination D_mailservers, which in turn should save logs into file named /var/log/MyHosts/MailServers/$FULLHOST.log. Instead I find those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which is really /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.m ycorp.net.log)
It would be nice to see at least a log entry from the file. BTW how did the hostname appear twice in the destination filename? Either I overlooked something or you're not using exactly the same config you sent.
I need to figure out a way to write the differences for hosts that begin with pattern xxx (^xxx)? and those with xxx at the end (*xxx) and those with xxx in the middle (*xxx)?, and for the life of me, I can't fifure out why the above is sending into Switches :-(
You've anchors in your filter regexps already. "^xxx", "xxx$", ".xxx." are what you need if I understand you correctly.
Regards,
Sandor