[syslog-ng] How does regex work with HOST definitions?
Nate Campi
nate at campin.net
Mon Oct 3 05:17:18 CEST 2005
On Mon, Oct 03, 2005 at 10:41:22AM +1300, Jason Haar wrote:
> catenate wrote:
>
> >
> > Has anyone any idea about this? It looks to me that regex don't
> > work on
> > the "host()" options at all. I have mine set to a regex, and it's
> > capturing all sorts of traffic from other syslog clients that don't
> > match :-(
> >
> >
> > Remove the backslashes before the hyphens - you'd only need to do that
> > inside a character class, e.g. [a-z\-] to match any of a through z and
> > hyphen. Outside a character class it means itself (or if it's the
> > first character in a character class and not escaped, like this [-a-z]).
>
> Didn't help I'm afraid. I've got
But it was still an incorrect regexp.
> host ("-ids-")
>
> and it's still picking up data from boxes who don't contain "-ids-" in
> their hostname.
>
> One thing I didn't mention is that all the incorrect hosts being picked
> up have their syslogs "routed" through another syslog-ng server running
> on a host that does match "-ids-", could that be a cause?
So what do the log entries look like, do you have chained hostnames or
is it replaced with the relaying host?
Paste in a couple entries that are logged incorrectly.
--
Nate
"Man is the only animal that blushes. Or needs to." - Samuel Clemens
More information about the syslog-ng
mailing list