[syslog-ng] expanding $HOST in 1.6.*

[t_esting at excite.com]

>> Hello, syslog-ng gurus.  I have been trying unsuccessfully to replicate syslog-ng 1.5.26 behavior over to the current stable release.  Specifically, here's what I can't seem to get to work from my config:
>> 
>> destination d_ipfilters_bymin   { file ("/var/logser/$HOST/$YEAR/$MONTH/$DAY/ipfilters.log.$HOUR.$MIN"
>>         owner(root) perm(0600) create_dirs(yes) ); };
>> 
>> filter f_fwsm_misc {
>>         match(" \%FWSM-") and
>>         match(": (Teardown|Translation|Built)");
>>         };
>> 
>> log { source(s_udp);  filter(f_fwsm_misc);   destination(d_ipfilters_bymin); };
>> 
>> With syslog-ng 1.5.26 (linked against libol 0.3.10 on Solaris 8 using GCC in 64-bit mode), this config writes my FWSM messages to /var/logser correctly.  I have been unable to do the same using either 1.6.8; the messages just fall through to my catchall destination.  
>> 
>> Can anyone offer some advice on how to reproduce the 1.5.x $HOST expansion behavior in 1.6.x?

>I can't really understand. Do you have a problem with matching the log
lines or the filename where the line is written to?

I was having trouble with the filename matching.  I've seen a couple of different behaviors in the 1.6.x release.  At different times, I've seen $HOST expanded as the DNS name, other times as the IP address.  Other times, I've seen it drop all the way through to catchall (though I'm not able to recreate that this morning with 1.6.8 for some reason).  I'll continue to do testing over the next couple of days to see if I can articulate exactly what I'm seeing with a larger scope of test data.

Thanks.

T.E.


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!