catenate wrote:
Has anyone any idea about this? It looks to me that regex don't work on the "host()" options at all. I have mine set to a regex, and it's capturing all sorts of traffic from other syslog clients that don't match :-(
Remove the backslashes before the hyphens - you'd only need to do that inside a character class, e.g. [a-z\-] to match any of a through z and hyphen. Outside a character class it means itself (or if it's the first character in a character class and not escaped, like this [-a-z]).
Didn't help I'm afraid. I've got host ("-ids-") and it's still picking up data from boxes who don't contain "-ids-" in their hostname. One thing I didn't mention is that all the incorrect hosts being picked up have their syslogs "routed" through another syslog-ng server running on a host that does match "-ids-", could that be a cause? ie. hostname.my.network -- syslog-ng ---> host-ids-01.my.network -- syslog-ng --> my.central.syslog.server and my.central.syslog.server is logging entries from hostname.my.network as if it matches host("-ids-"). This is a bit of an issue as it means I'm ended up with records being recorded incorrectly 2-4 times - I'm running out of diskspace! (around 15G a week now when it should be 5G) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1