[syslog-ng] Weird behavior

Nathaniel Couper-Noles ncoupern@paris.uchicago.edu
Wed, 21 Jul 1999 19:05:15 -0500 (CDT) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---559023410-851401618-932601463=:18966
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.3.96.990721185826.18966E@paris.uchicago.edu>

I have setup syslog-ng version 1.1.27 on a i386 running a (nearly) pure
Debian Linux 2.1 install, libol version 0.2.

This machine is being used to collect logs sent from NT machines running a
program called EventSlog. I am trying to use the match() function to
direct logs containing the string "/Security (" to a file bob.security,
logs containing the string "/Applications (" to a file bob.app, logs
containing the string "/SYSTEM (" to a file called bob.system, and logs
that contain none of these strings to a file called bob.misc.

My first attempt at this is in the first attachment to this document.  It
erred by redirecting all of the logs to each of the three files bob.app,
bob.security, and bob.system all of the input to port 514.  bob.misc was
empty.

Figuring perhaps that multiple filters aren't and'ed together in a log
statement, I then wrote the conditional statements inside the filters, 
as in the second attachment to this email.  This setup erred in the same
way. 

I noticed also that the appropriately syntaxed configurations would
behave similarly using syslog-ng version 1.2.23 and libol 0.1.19.

Am I misusing the match() call?  Or perhaps the logical connectors?

Thanks for a great program! 

PS if there is a syntactical error in the files it is because I copied
them wrong...syslog-ng always ran without explicit error...

PPS I noticed the version-printing command line option syslog-ng -V does
not work...though it is listed in the man page.

_______________________________________________
Nathaniel Couper-Noles
Department of Information Techonology

School of Social Administration
University of Chicago






---559023410-851401618-932601463=:18966
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="syslog-ng.conf.first"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.3.96.990721185743.18966A@paris.uchicago.edu>
Content-Description: Example #1

b3B0aW9ucyB7IGxvbmdfaG9zdG5hbWVzKG9mZik7IHN5bmMoMCk7IH07DQoN
CiMgc291cmNlcw0KDQpzb3VyY2UgbnRib3hlcyB7IHVkcCAoIHBvcnQoNTE0
KSApOyB9Ow0Kc291cmNlIHN5c2wtbmcgeyBpbnRlcm5hbCgpOyB9Ow0KDQoj
IGRlc3RpbmF0aW9ucw0KDQpkZXN0aW5hdGlvbiBib2Iuc2VjdXJpdHkgew0K
ICAgICAgIGZpbGUgKCIvdmFyL2xvZy9ib2Iuc2VjdXJpdHkiKTsNCn07DQpk
ZXN0aW5hdGlvbiBib2Iuc3lzdGVtIHsNCiAgICAgICBmaWxlICgiL3Zhci9s
b2cvYm9iLnN5c3RlbSIpOyANCn07DQpkZXN0aW5hdGlvbiBib2IuYXBwIHsN
CiAgICAgICBmaWxlICgiL3Zhci9sb2cvYm9iLmFwcCIpOyANCn07DQpkZXN0
aW5hdGlvbiBib2IubWlzYyB7DQogICAgICAgZmlsZSAoIi92YXIvbG9nL2Jv
Yi5taXNjIik7IA0KfTsNCg0KIyBmaWx0ZXJzDQoNCg0KZmlsdGVyIGZfc2Vj
dXJpdHkgew0KICAgICAgICBtYXRjaCAoIi9TZWN1cml0eSAoIik7DQogICAg
ICAgfTsNCmZpbHRlciBmX2FwcCB7DQogICAgICAgIG1hdGNoICgiL0FwcGxp
Y2F0aW9uICgiKTsNCiAgICAgICB9Ow0KZmlsdGVyIGZfc3lzdGVtIHsNCiAg
ICAgICAgbWF0Y2ggKCIvU1lTVEVNICgiKTsNCiAgICAgICB9Ow0KZmlsdGVy
IGZfbWlzYyB7DQogICAgICAgIG5vdCBtYXRjaCAoIi9TZWN1cml0eSAoIikN
CiAgICAgICAgYW5kIG5vdCBtYXRjaCAoIi9TWVNURU0gKCIpDQogICAgICAg
IGFuZCBub3QgbWF0Y2ggKCIvQXBwbGljYXRpb24gKCIpOw0KICAgICAgIH07
DQpmaWx0ZXIgZl9ib2Igew0KICAgICAgICBob3N0ICgiYm9iIik7DQogICAg
ICAgfTsNCg0KIyBsb2dzDQoNCmxvZyB7IHNvdXJjZSAobnRib3hlcyk7IGZp
bHRlciAoZl9ib2IpOyBmaWx0ZXIgKGZfc2VjdXJpdHkpOyBkZXN0aW5hdGlv
biAoYm9iLnNlY3VyaXR5KTsgfTsNCmxvZyB7IHNvdXJjZSAobnRib3hlcyk7
IGZpbHRlciAoZl9ib2IpOyBmaWx0ZXIgKGZfc3lzdGVtKTsgZGVzdGluYXRp
b24gKGJvYi5zeXN0ZW0pOyB9Ow0KbG9nIHsgc291cmNlIChudGJveGVzKTsg
ZmlsdGVyIChmX2JvYik7IGZpbHRlciAoZl9hcHApOyBkZXN0aW5hdGlvbiAo
Ym9iLmFwcCk7IH07DQpsb2cgeyBzb3VyY2UgKG50Ym94ZXMpOyBmaWx0ZXIg
KGZfYm9iKTsgZmlsdGVyIChmX21pc2MpOyBkZXN0aW5hdGlvbiAoYm9iLm1p
c2MpOyB9Ow0K
---559023410-851401618-932601463=:18966
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="syslog-ng.conf.second"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.3.96.990721185743.18966B@paris.uchicago.edu>
Content-Description: Example #2

b3B0aW9ucyB7IGxvbmdfaG9zdG5hbWVzKG9mZik7IHN5bmMoMCk7IH07DQoN
CiMgc291cmNlcw0KDQpzb3VyY2UgbnRib3hlcyB7IHVkcCAoIHBvcnQoNTE0
KSApOyB9Ow0Kc291cmNlIHN5c2wtbmcgeyBpbnRlcm5hbCgpOyB9Ow0KDQoj
IGRlc3RpbmF0aW9ucw0KDQpkZXN0aW5hdGlvbiBib2Iuc2VjdXJpdHkgew0K
ICAgICAgIGZpbGUgKCIvdmFyL2xvZy9ib2Iuc2VjdXJpdHkiKTsNCn07DQpk
ZXN0aW5hdGlvbiBib2Iuc3lzdGVtIHsNCiAgICAgICBmaWxlICgiL3Zhci9s
b2cvYm9iLnN5c3RlbSIpOyANCn07DQpkZXN0aW5hdGlvbiBib2IuYXBwIHsN
CiAgICAgICBmaWxlICgiL3Zhci9sb2cvYm9iLmFwcCIpOyANCn07DQpkZXN0
aW5hdGlvbiBib2IubWlzYyB7DQogICAgICAgZmlsZSAoIi92YXIvbG9nL2Jv
Yi5taXNjIik7IA0KfTsNCg0KIyBmaWx0ZXJzDQoNCg0KZmlsdGVyIGZfYm9i
X3NlY3VyaXR5IHsNCiAgICAgICAgaG9zdCAoImJvYiIpDQogICAgICAgIGFu
ZCBtYXRjaCAoIi9TZWN1cml0eSAoIik7DQogICAgICAgfTsNCmZpbHRlciBm
X2JvYl9hcHAgew0KICAgICAgICBob3N0ICgiYm9iIikNCiAgICAgICAgYW5k
IG1hdGNoICgiL0FwcGxpY2F0aW9uICgiKTsNCiAgICAgICB9Ow0KZmlsdGVy
IGZfYm9iX3N5c3RlbSB7DQogICAgICAgIGhvc3QgKCJib2IiKQ0KICAgICAg
ICBhbmQgbWF0Y2ggKCIvU1lTVEVNICgiKTsNCiAgICAgICB9Ow0KZmlsdGVy
IGZfYm9iX21pc2Mgew0KICAgICAgICBob3N0ICgiYm9iIikNCiAgICAgICAg
YW5kIG5vdCBtYXRjaCAoIi9TZWN1cml0eSAoIikNCiAgICAgICAgYW5kIG5v
dCBtYXRjaCAoIi9TWVNURU0gKCIpDQogICAgICAgIGFuZCBub3QgbWF0Y2gg
KCIvQXBwbGljYXRpb24gKCIpOw0KICAgICAgIH07DQoNCiMgbG9ncw0KDQps
b2cgeyBzb3VyY2UgKG50Ym94ZXMpOyBmaWx0ZXIgKGZfYm9iX2FwcCk7IGRl
c3RpbmF0aW9uIChib2Iuc2VjdXJpdHkpOyB9Ow0KbG9nIHsgc291cmNlIChu
dGJveGVzKTsgZmlsdGVyIChmX2JvYl9zZWN1cml0eSk7IGRlc3RpbmF0aW9u
IChib2Iuc3lzdGVtKTsgfTsNCmxvZyB7IHNvdXJjZSAobnRib3hlcyk7IGZp
bHRlciAoZl9ib2Jfc3lzdGVtKTsgZGVzdGluYXRpb24gKGJvYi5hcHApOyB9
Ow0KbG9nIHsgc291cmNlIChudGJveGVzKTsgZmlsdGVyIChmX2JvYl9taXNj
KTsgZGVzdGluYXRpb24gKGJvYi5taXNjKTsgfTsNCg==
---559023410-851401618-932601463=:18966--