[syslog-ng] How does regex work with HOST definitions?
Jason Haar
Jason.Haar at trimble.co.nz
Thu Sep 29 04:49:03 CEST 2005
Hi there
Has anyone any idea about this? It looks to me that regex don't work on
the "host()" options at all. I have mine set to a regex, and it's
capturing all sorts of traffic from other syslog clients that don't
match :-(
Jason
Jason Haar wrote:
>Hi there
>
>I have a subset of syslog-ng hosts that use a specific DNS formatted
>naming convention that I wish to ensure all their data is caught by a
>particular syslog-ng filter.
>
>I have
>
>filter f_process_Test { host("^...\-..\-ids\-[0-9]+\...\.our\.net$") and
>not host("abc-xy-ids-02\.our\.net"); };
>
>i.e. I want abc-12-ids-01.aa.our.net and xyz-12-ids-01.aa.our.net to be
>caught by this filter, but abc-xy-ids-02\.our\.net not to be.
>
>I could explicitly name them all I suppose - but there are 12+ of them
>and they are growing in number. A regex would be much more efficient.
>
>Anyway, it doesn't work. That filter never triggers. I know the
>hostnames are correct as I have a general catch-all rule that logs to
>filenames containing the hostname - and those hostnames show up in there.
>
>Can anyone explain what I've got wrong? REGEX works fine in my "match"
>calls...
>
>This is syslog-ng-1.6.7-2 under CentOS4.1
>
>Thanks!
>
>
>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the syslog-ng
mailing list