syslog-ng and host() filters regex problem
hello, I have a problem with syslog-ng and host() filters regex. I need to sort out logs coming from different source addresses in various files, so I started with this configuration: filter f_cp_ { host("10.28.88.4"); }; [10 similar host filters] filter f_pix_1 { host("10.29.42.3"); }; for every filter I defined a file destination and a log statement like this one: log { source(s_udp); filter(f_pix_1); destination(nfs_pix_1); }; This configuration works as expected, but since logs might come from other IP addresses which don't have to get mixed up (eg 10.28.88.41 matches the first filter but shouldn't) I'd like to use a regexp in the host file; I tried just by adding a $ at the end of the IP, like this: filter f_cp_dl380 { host("10.28.88.4$"); }; [10 similar host filters] filter f_pix_1VF { host("10.29.42.3$"); }; After sending a HUP to the process syslog-ng stops writing input packets to the various log files. Just removing the $ after the ip address and sending another HUP to the server restores functionality. I also tried with a full IP regexp, as found in another post on the list (host("^10\.28\.88\.4$")) but the result is the same. I also tried upgrading my syslog-ng from 1.6.2 to 1.6.8 but nothing changed. It seems like the config parser is somehow unable to manage more than a handful of host regexps correctly. I can provide full configuration files if needed. thanks for the help, Stefania
On Mon, 2005-07-18 at 23:22 +0200, syslog-ng wrote:
hello, I have a problem with syslog-ng and host() filters regex. I need to sort out logs coming from different source addresses in various files, so I started with this configuration:
filter f_cp_ { host("10.28.88.4"); }; [10 similar host filters] filter f_pix_1 { host("10.29.42.3"); };
for every filter I defined a file destination and a log statement like this one:
log { source(s_udp); filter(f_pix_1); destination(nfs_pix_1); };
This configuration works as expected, but since logs might come from other IP addresses which don't have to get mixed up (eg 10.28.88.41 matches the first filter but shouldn't) I'd like to use a regexp in the host file; I tried just by adding a $ at the end of the IP, like this:
filter f_cp_dl380 { host("10.28.88.4$"); }; [10 similar host filters] filter f_pix_1VF { host("10.29.42.3$"); };
After sending a HUP to the process syslog-ng stops writing input packets to the various log files. Just removing the $ after the ip address and sending another HUP to the server restores functionality. I also tried with a full IP regexp, as found in another post on the list (host("^10\.28\.88\.4$")) but the result is the same. I also tried upgrading my syslog-ng from 1.6.2 to 1.6.8 but nothing changed.
It seems like the config parser is somehow unable to manage more than a handful of host regexps correctly.
It should not matter how many filter regexps you have, they work independently, and there is nothing in syslog-ng that depends on their number. I'd say that either the hostname is not something that you expect it to be (try outputting the hostname enclosed in some characters, like template('[$HOST]\n'), and see if there is a trailing space or something. The other problem might be that you are not escaping correctly, for example you need a double backslash to protect the dot, as syslog-ng uses C style escaping, not shell style, e.g. you need: host("^10\\.28\\.88\\.44$"); I agree that this format is not ideal, but changing this would require changing the configuration format, which is another issue. -- Bazsi
participants (2)
-
Balazs Scheidler
-
syslog-ng