[syslog-ng]1.5.26 vs 1.6.x and destination selection
T.
syslog-ng@lists.balabit.hu
Mon, 12 Jan 2004 15:00:21 -0500 (EST)
Hi, Baszi. Thanks for writing back. Here's what I'm seeing:
0: 0003 ba10 8f5b 0001 81ff d8ad 0800 4500 .....[........E.
16: 00a5 8018 0000 fc11 7b85 0a64 6303 0a40 ......ü.{..dc..@
32: 4b03 042d 0202 0091 0736 3c31 3636 3e4a K..-.....6<166>J
48: 616e 2031 3220 3230 3034 2031 393a 3336 an 12 2004 19:36
64: 3a35 313a 2025 4657 534d 2d36 2d33 3032 :51: %FWSM-6-302
80: 3030 363a 2054 6561 7264 6f77 6e20 5544 006: Teardown UD
96: 5020 636f 6e6e 6563 7469 6f6e 2066 6f72 P connection for
112: 2066 6164 6472 2031 302e 3130 302e 3832 faddr 10.100.82
128: 2e39 2f33 3738 3638 2067 6164 6472 2031 .9/37868 gaddr 1
144: 302e 3230 2e33 302e 3631 2f35 3320 6c61 0.20.30.61/53 la
160: 6464 7220 3130 2e32 302e 3330 2e36 312f ddr 10.20.30.61/
176: 3533 0a 53.
In this case, the filter that I expect to pick it up is:
filter f_fwsm_misc {
match(" \%FWSM-") and
match(": (Teardown|Translation|Built)");
};
log { source(s_udp); filter(f_fwsm_misc); destination(d_netfilt); };
log { destination(d_messages); flags(fallback, catchall); };
This works OK in 1.5.26 (i.e. the message above gets written to d_netfilt) but not 1.6.0rc4 or 1.6.1 (it's written to d_messages). I wouldn't always expect program() to work well for remote hosts but the match() filter seems like it should. Also, I can't tell if $HOST is now being correctly interpreted in 1.6.1 because the message is being written to the wrong place :-) I can say that it does seem to work correctly for other syslog-ng hosts (which I have set up to use TCP), it's primarily the UDP transport that seems to be having problems.
Thanks again for any help you might be able to offer.
--- On Mon 01/12, Balazs Scheidler < bazsi@balabit.hu > wrote:
From: Balazs Scheidler [mailto: bazsi@balabit.hu]
To: syslog-ng@lists.balabit.hu
Date: Mon, 12 Jan 2004 13:54:10 +0100
Subject: Re: [syslog-ng]1.5.26 vs 1.6.x and destination selection
Please try checking how those messages are formatted. syslog-ng might<br>have problems identifying the program part in those messages.<br><br>either a tcpdump or an strace with large strings (-s 512) might help to<br>find the problem.<br><br>
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!