[syslog-ng]1.5.26 vs 1.6.x and destination selection

Balazs Scheidler syslog-ng@lists.balabit.hu
Mon, 12 Jan 2004 13:54:10 +0100


On Mon, 2004-01-12 at 04:30, T. wrote:
>   I am trying to get the 1.6 branch of syslog-ng to create log files based on a naming convention that worked (sort of) in 1.5.26 but no longer does.  Specifically, I have the following in my syslog-ng.conf:
> 
> destination d_netfilt { file ("/var/logser/$HOST/$YEAR/$MONTH/$DAY/netfilt.log"
>         owner(root) perm(0600) create_dirs(yes) ); };
> destination d_messages { file ("/var/adm/messages.$YEAR.$MONTH" owner(root) perm(0644) ); };
> 
> filter f_netfilt {
>         match(" netfilt\[0-9]+\]") or
>         program("netfilt");
>         };
> 
> source s_udp {  udp( port(514) ); };
> 
> log { source(s_udp); filter(f_netfilt); destination(d_netfilt); };
> log { destination(d_messages); flags(fallback, catchall); };
> 
> With syslog-ng 1.5.26, this sends messages matching "netfilt" received on UDP port 514 into /var/logser (albeit it doesn't correctly expand $HOST into the source of the message - it fills this in as the hostname of the machine on which syslog-ng is running).  With the 1.6 branch, however, running with the same config file and receiving messages from the same sources winds up dropping the logs down into the d_messages block.  This happened both with the release candidates and with the recent 1.6.1 branch.  I'm using libol 0.3.11 and running on Solaris 8 on Netra V120; both libol and syslog-ng were compiled using GCC 3.1 in 64-bit mode (-m64 -mcpu=ultrasparc -O3).  Can anyone help point me in the right direction of getting 1.6.1 to correctly match the source of the message and, perhaps, also identify $HOST properly?

Please try checking how those messages are formatted. syslog-ng might
have problems identifying the program part in those messages.

either a tcpdump or an strace with large strings (-s 512) might help to
find the problem.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1