[syslog-ng] Not able to match on a field in syslog messages from a DataPower Appliance
Salowitz, Adam (AS.)
asalowi1 at ford.com
Thu Jul 17 16:31:00 CEST 2008
>USER.DEBUG: Jul 15 18:23:44 DPRASSyslogAudit3 [system][debug]
>trans(383): cpu usage: 57%(10 sec) 57%(1 min) 57%(10
>min) 56%(1 hour) 58%(1 day)
>
>In syslog wire protocol the field immediately after the
>timestamp is the hostname, so this message would be
>interpreted as being from a host called DPRASSyslogAudit3.
>Your filters are not matching these messages because match()
>only matches elements of the message body and the text you're
>looking for does not appear in the message body.
>
>Joe.
That's actually what thought (but forgot to mention in my earlier
email), but when I try to match on host it doesn't catch anything
either. Neither of these catch anything:
filter group_syncDPextest {
host("DP[:digit:]+Syslog")
or host("DPRASSyslogAudit[:digit:]+")
;};
filter group_syncDPextest {
host("DP")
;};
Is this because the host filter actually comes from the source host of
the packet and not the message itself? Are DataPower's syslog messages
just broken or non-rfc complient? Should I just give up and try to
match on other strings in the message? Thanks again for all your help
on this weird problem.
Adam
More information about the syslog-ng
mailing list