[syslog-ng]1.5.26 vs 1.6.x and destination selection

T. syslog-ng@lists.balabit.hu
Tue, 13 Jan 2004 22:21:33 -0500 (EST)



 Interesting point.  I tried with check_hostnames() set to either yes or no but with little success.  I also tried use_fqdn() as well as taking out my bad_hostname() restrictions.  I'll try to document some of the different use cases if I get a few moments free.



 --- On Mon 01/12, Balazs Scheidler < bazsi@balabit.hu > wrote:
From: Balazs Scheidler [mailto: bazsi@balabit.hu]
To: syslog-ng@lists.balabit.hu
Date: Mon, 12 Jan 2004 21:41:11 +0100
Subject: Re: [syslog-ng]1.5.26 vs 1.6.x and destination selection

On Mon, 2004-01-12 at 21:00, T. wrote:<br>>   Hi, Baszi.  Thanks for writing back.  Here's what I'm seeing:<br>> <br>>   0: 0003 ba10 8f5b 0001 81ff d8ad 0800 4500    .....[........E.<br>>  16: 00a5 8018 0000 fc11 7b85 0a64 6303 0a40    .......{..dc..@<br>>  32: 4b03 042d 0202 0091 0736 3c31 3636 3e4a    K..-.....6<166>J<br>>  48: 616e 2031 3220 3230 3034 2031 393a 3336    an 12 2004 19:36<br>>  64: 3a35 313a 2025 4657 534d 2d36 2d33 3032    :51: %FWSM-6-302<br>>  80: 3030 363a 2054 6561 7264 6f77 6e20 5544    006: Teardown UD<br>>  96: 5020 636f 6e6e 6563 7469 6f6e 2066 6f72    P connection for<br>> 112: 2066 6164 6472 2031 302e 3130 302e 3832     faddr 10.100.82<br>> 128: 2e39 2f33 3738 3638 2067 6164 6472 2031    .9/37868 gaddr 1<br>> 144: 302e 3230 2e33 302e 3631 2f35 3320 6c61    0.20.30.61/53 la<br>> 160: 6464 7220 3130 2e32 302e 3330 2e36 312f    ddr 10.20.30.61/<br>> 176: 3533 0a                                    53.<br>> <br>> In this case, the filter that I expect to pick it up is:<br>> <br>> filter f_fwsm_misc {<br>>         match(" \%FWSM-") and<br>>         match(": (Teardown|Translation|Built)");<br>>         };<br>> log { source(s_udp);  filter(f_fwsm_misc); destination(d_netfilt); };<br>> log { destination(d_messages); flags(fallback, catchall); };<br>> <br>> <br>> This works OK in 1.5.26 (i.e. the message above gets written to d_netfilt) but not 1.6.0rc4 or 1.6.1 (it's written to d_messages).  I wouldn't always expect program() to work well for remote hosts but the match() filter seems like it should.  Also, I can't tell if $HOST is now being correctly interpreted in 1.6.1 because the message is being written to the wrong place :-)  I can say that it does seem to work correctly for other syslog-ng hosts (which I have set up to use TCP), it's primarily the UDP transport that seems to be having problems.<br><br>I don't understand how this might work differently than 1.5.26, though I<br>think the problem is that you have to enable the check_hostname() option<br>as '%FWSM-6-302' is taken as the hostname (if you enable check_hostname<br>it will be interpreted as the part of the message as '%' is not a valid<br>hostname.<br><br>I can't remember any changes in this area though.<br><br><br>-- <br>Bazsi<br>PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1<br><br><br><br>_______________________________________________<br>syslog-ng maillist  -  syslog-ng@lists.balabit.hu<br>https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br><br>

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!