[syslog-ng] Bug report: host variables translated differently in
templates than in regex
Jason Haar
Jason.Haar at trimble.co.nz
Mon Oct 17 01:40:56 CEST 2005
Hi there
I brought this up a couple of weeks ago ("How does regex work with HOST
definitions?") and I now think it's a bug.
Basically if you call HOST as part of a template call such as:
template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")
or
file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY")
then HOST is *the first syslog client* sending the syslog record
(assuming keep_hostname is set). i.e. HOST might be the actual client
that physically sent the record - or it might be the client gatewayed
through a previous syslog server.
However, if you are referring to the remote syslog client via a regex in
a filter, such as
filter f_process_TIBS { host("-ids-") }
then it appears that "host" is literally *the last syslog client* -
instead of *the first syslog client*. e.g. if you have a syslog client
(clientA) that forwards to serverB, and serverB forwards to serverC,
then for a particular clientA record, HOST on serverC is "clientA", but
"host" refers to "serverB".
I can see this by using lsof. I can see that the likes of
/var/log/syslog/clientA/2005/10/17/filename is open for write, although
clientA hostname doesn't match the filter associated with that path -
but the serverB that clientA gateway's through does...
Can someone check if this is true? My problem is that the above filter
on "serverC" basically matches all syslog clients, whereas running the
same config on serverB only matches the appropriate clientA hosts - as I
want.
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the syslog-ng
mailing list