On Mon, 2005-10-17 at 12:40 +1300, Jason Haar wrote:
Hi there
I brought this up a couple of weeks ago ("How does regex work with HOST definitions?") and I now think it's a bug.
Basically if you call HOST as part of a template call such as:
template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")
or
file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY")
then HOST is *the first syslog client* sending the syslog record (assuming keep_hostname is set). i.e. HOST might be the actual client that physically sent the record - or it might be the client gatewayed through a previous syslog server.
However, if you are referring to the remote syslog client via a regex in a filter, such as
filter f_process_TIBS { host("-ids-") }
then it appears that "host" is literally *the last syslog client* - instead of *the first syslog client*. e.g. if you have a syslog client (clientA) that forwards to serverB, and serverB forwards to serverC, then for a particular clientA record, HOST on serverC is "clientA", but "host" refers to "serverB".
I don't see how this could be the case. $HOST is expanded to the same value as is used for host() filtering, more specifically "struct log_info->host" Filtering: static int do_filter_host(struct filter_expr_node *c, struct log_filter *rule UNUSED, struct log_info *log) { CAST(filter_expr_re, self, c); return (!regexec(&self->regex, (char *) log->host->data, 0, NULL, 0)) ^ c->comp; } Macro expansion: case M_HOST: { /* host */ struct ol_string *host = (id == M_HOST ? msg->host : msg->host_from); UINT8 *p1; UINT8 *p2; int remaining; p1 = memchr(host->data, '@', host->length); if (p1) p1++; else p1 = host->data; remaining = host->length - (p1 - host->data); p2 = memchr(p1, '/', remaining); if (p2) { length = LIBOL_MIN((unsigned int) (p2 - p1), *left); } else { length = LIBOL_MIN(*left, (unsigned int) (host->length - (p1 - host->data))); } length = append_string(dest, left, (char *) p1, length, escape); break; } The long code in the macro expansion does nothing but strip off everything before '@' and after the first '.' (but there's $FULLHOST which does not do this) -- Bazsi