Nate Campi wrote:
host ("-ids-")
and it's still picking up data from boxes who don't contain "-ids-" in their hostname.
One thing I didn't mention is that all the incorrect hosts being picked up have their syslogs "routed" through another syslog-ng server running on a host that does match "-ids-", could that be a cause?
So what do the log entries look like, do you have chained hostnames or is it replaced with the relaying host?
Paste in a couple entries that are logged incorrectly.
OK, but I don't have the hostnames in the content - I have them in the directory name instead - see below I have "keep_hostname (no)" set (and yes, I know... - but wait) I have (1) destination d_dir_messages { file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY/raw" template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") } log { source(s_local); destination(d_local_messages); And in the directories created, $HOST is converted into the hostname of the original syslog client - irrespective of whether or not it was "gatewayed" via an intermediary syslog-ng server (exclusively from syslog-ng over TCP if that makes a difference). I also have (2) destination d_dir_IDS { file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY/IDS-logs" template("$R_ISODATE $MESSAGE\n") } filter f_process_IDS { host("-ids-") and not host("xx-ids-02.my.net"); }; log { source(s_local); filter(f_process_IDS); destination(d_dir_IDS);}; In the case of (2), I am seeing IDS-logs files from hosts that don't match the f_process_IDS filter. It has been mentioned that "keep_hostname" could be the cause, but I have tried that with it set to "no" and "yes" and it has made no difference - I still see the wrong hosts being matched. Your comment about chained hostnames makes me wonder if the HOST variable is different when used in a directory/file context than when it's part of a template definition? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1