[syslog-ng] How does regex work with HOST definitions?
Jason Haar
Jason.Haar at trimble.co.nz
Sun Oct 2 23:41:22 CEST 2005
catenate wrote:
>
> Has anyone any idea about this? It looks to me that regex don't
> work on
> the "host()" options at all. I have mine set to a regex, and it's
> capturing all sorts of traffic from other syslog clients that don't
> match :-(
>
>
> Remove the backslashes before the hyphens - you'd only need to do that
> inside a character class, e.g. [a-z\-] to match any of a through z and
> hyphen. Outside a character class it means itself (or if it's the
> first character in a character class and not escaped, like this [-a-z]).
Didn't help I'm afraid. I've got
host ("-ids-")
and it's still picking up data from boxes who don't contain "-ids-" in
their hostname.
One thing I didn't mention is that all the incorrect hosts being picked
up have their syslogs "routed" through another syslog-ng server running
on a host that does match "-ids-", could that be a cause?
ie.
hostname.my.network -- syslog-ng ---> host-ids-01.my.network --
syslog-ng --> my.central.syslog.server
and my.central.syslog.server is logging entries from hostname.my.network
as if it matches host("-ids-").
This is a bit of an issue as it means I'm ended up with records being
recorded incorrectly 2-4 times - I'm running out of diskspace! (around
15G a week now when it should be 5G)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the syslog-ng
mailing list