[syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended

[Geller, Sandor (IT)]

Hi,

> My problems lie with the other filters, the ones at the end:
>
> filter F_edge         { host("edge*") or host("122.21.*"); };
> filter F_router       { host("gw*") or host("rtr") or host("mmsc"); };
> filter F_switch       { host("sw*") or host("sw1") or host("sw2"); };
> filter F_firewall     { host("^fw*") or host("^mlm*-*") or
> host("^cm*"); };
> filter F_dc           { host("^mydc*") or host("^dc*"); };
> filter F_accesspoints { host("^melanie*"); };
> filter F_mailservers  { host("^mail*") or host("^smtpgw*"); };
> filter F_proxies      { host("^proxygw*"); };
> filter F_InternetIP   { host("161.17.10.*"); };
>
> The above, based on the filter rule for F_mailservers, should
> place anything coming in from a host named mailserver1, or
> smtpgw1 into destination D_mailservers, which in turn should
> save logs into file named
> /var/log/MyHosts/MailServers/$FULLHOST.log.  Instead I find
> those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which
> is really
> /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.m
> ycorp.net.log)

It would be nice to see at least a log entry from the file. BTW
how did the hostname appear twice in the destination filename?
Either I overlooked something or you're not using exactly the
same config you sent.

> I need to figure out a way to write the differences for hosts
> that begin with pattern xxx (^xxx)? and those with xxx at the
> end (*xxx) and those with xxx in the middle (*xxx)?, and for
> the life of me, I can't fifure out why the above is sending
> into Switches :-(

You've anchors in your filter regexps already. "^xxx", "xxx$",
".xxx." are what you need if I understand you correctly.

Regards,

Sandor