[syslog-ng]1.5.26 vs 1.6.x and destination selection
T.
syslog-ng@lists.balabit.hu
Tue, 13 Jan 2004 22:21:33 -0500 (EST)
Interesting point. I tried with check_hostnames() set to either yes or no but with little success. I also tried use_fqdn() as well as taking out my bad_hostname() restrictions. I'll try to document some of the different use cases if I get a few moments free.
--- On Mon 01/12, Balazs Scheidler < bazsi@balabit.hu > wrote:
From: Balazs Scheidler [mailto: bazsi@balabit.hu]
To: syslog-ng@lists.balabit.hu
Date: Mon, 12 Jan 2004 21:41:11 +0100
Subject: Re: [syslog-ng]1.5.26 vs 1.6.x and destination selection
On Mon, 2004-01-12 at 21:00, T. wrote:<br>> Hi, Baszi. Thanks for writing back. Here's what I'm seeing:<br>> <br>> 0: 0003 ba10 8f5b 0001 81ff d8ad 0800 4500 .....[........E.<br>> 16: 00a5 8018 0000 fc11 7b85 0a64 6303 0a40 .......{..dc..@<br>> 32: 4b03 042d 0202 0091 0736 3c31 3636 3e4a K..-.....6<166>J<br>> 48: 616e 2031 3220 3230 3034 2031 393a 3336 an 12 2004 19:36<br>> 64: 3a35 313a 2025 4657 534d 2d36 2d33 3032 :51: %FWSM-6-302<br>> 80: 3030 363a 2054 6561 7264 6f77 6e20 5544 006: Teardown UD<br>> 96: 5020 636f 6e6e 6563 7469 6f6e 2066 6f72 P connection for<br>> 112: 2066 6164 6472 2031 302e 3130 302e 3832 faddr 10.100.82<br>> 128: 2e39 2f33 3738 3638 2067 6164 6472 2031 .9/37868 gaddr 1<br>> 144: 302e 3230 2e33 302e 3631 2f35 3320 6c61 0.20.30.61/53 la<br>> 160: 6464 7220 3130 2e32 302e 3330 2e36 312f ddr 10.20.30.61/<br>> 176: 3533 0a 53.<br>> <br>> In this case, the filter that I expect to pick it up is:<br>> <br>> filter f_fwsm_misc {<br>> match(" \%FWSM-") and<br>> match(": (Teardown|Translation|Built)");<br>> };<br>> log { source(s_udp); filter(f_fwsm_misc); destination(d_netfilt); };<br>> log { destination(d_messages); flags(fallback, catchall); };<br>> <br>> <br>> This works OK in 1.5.26 (i.e. the message above gets written to d_netfilt) but not 1.6.0rc4 or 1.6.1 (it's written to d_messages). I wouldn't always expect program() to work well for remote hosts but the match() filter seems like it should. Also, I can't tell if $HOST is now being correctly interpreted in 1.6.1 because the message is being written to the wrong place :-) I can say that it does seem to work correctly for other syslog-ng hosts (which I have set up to use TCP), it's primarily the UDP transport that seems to be having problems.<br><br>I don't understand how this might work differently than 1.5.26, though I<br>think the problem is that you have to enable the check_hostname() option<br>as '%FWSM-6-302' is taken as the hostname (if you enable check_hostname<br>it will be interpreted as the part of the message as '%' is not a valid<br>hostname.<br><br>I can't remember any changes in this area though.<br><br><br>-- <br>Bazsi<br>PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1<br><br><br><br>_______________________________________________<br>syslog-ng maillist - syslog-ng@lists.balabit.hu<br>https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br><br>
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!