[syslog-ng] syslog-ng and host() filters regex problem

Balazs Scheidler bazsi at balabit.hu
Tue Jul 19 09:20:12 CEST 2005


On Mon, 2005-07-18 at 23:22 +0200, syslog-ng wrote:
> hello,
> I have a problem with syslog-ng and host() filters regex. I need to
> sort out logs coming from different source addresses in various files,
> so I started with this configuration:
> 
> filter f_cp_ { host("10.28.88.4"); };
> [10 similar host filters]
> filter f_pix_1 { host("10.29.42.3"); };
> 
> for every filter I defined a file destination and a log statement like this one:
> 
> log { source(s_udp); filter(f_pix_1); destination(nfs_pix_1); };
> 
> This configuration works as expected, but since logs might come from
> other IP addresses which don't have to get mixed up (eg 10.28.88.41
> matches the first filter but shouldn't) I'd like to use a regexp in
> the host file; I tried just by adding a $ at the end of the IP, like
> this:
> 
> filter f_cp_dl380 { host("10.28.88.4$"); };
> [10 similar host filters]
> filter f_pix_1VF { host("10.29.42.3$"); };
> 
> After sending a HUP to the process syslog-ng stops writing input
> packets to the various log files. Just removing the $ after the ip
> address and sending another HUP to the server restores functionality.
> I also tried with a full IP regexp, as found in another post on the
> list (host("^10\.28\.88\.4$")) but the result is the same. I also
> tried upgrading my syslog-ng from 1.6.2 to 1.6.8 but nothing changed.
> 
> It seems like the config parser is somehow unable to manage more than
> a handful of host regexps correctly.

It should not matter how many filter regexps you have, they work
independently, and there is nothing in syslog-ng that depends on their
number. I'd say that either the hostname is not something that you
expect it to be (try outputting the hostname enclosed in some
characters, like template('[$HOST]\n'), and see if there is a trailing
space or something.

The other problem might be that you are not escaping correctly, for
example you need a double backslash to protect the dot, as syslog-ng
uses C style escaping, not shell style, e.g. you need:

host("^10\\.28\\.88\\.44$");

I agree that this format is not ideal, but changing this would require
changing the configuration format, which is another issue.

-- 
Bazsi



More information about the syslog-ng mailing list