[syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended

Thu May 8 19:58:36 CEST 2008

Here are some recent logs.

May  8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net
postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<b.smith at nodomain.net>,
relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14,
dsn=2.6.0, status=sent (250 2.6.0  <B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44 at ns2.someotherdomain.com>
Queued mail for delivery)

May  8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net
postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<m.jackson at nodomain.net>,
relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14,
dsn=2.6.0, status=sent (250 2.6.0 
<B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44@ ns2.someotherdomain.com>
Queued mail for delivery)

May  8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net
postfix/smtp[22079]: [ID 197553 mail.info] BBBF66CB1E: to=<r.lindsay at nodomain.net>,
relay=192.168.12.1[192.168.12.1]:25, delay=0.48, delays=0.31/0.02/0.01/0.14,
dsn=2.6.0, status=sent (250 2.6.0 
<B7C2C6BA798F3C4DBDD78BEDC1F8AD5732046E44@ ns2.someotherdomain.com>
Queued mail for delivery)

May  8 13:48:41 mailserver1.mycorp.net/mailserver1.mycorp.net
postfix/qmgr[13267]: [ID 197553 mail.info] BBBF66CB1E: removed

I *believe* the double hostname is die to  chain_hostnames=yes?  Don't remember.

Regards,

.vp

> From: Sandor.Geller at morganstanley.com
> To: syslog-ng at lists.balabit.hu
> Date: Thu, 8 May 2008 18:05:28 +0100
> Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
> 
> Hi,
> 
> > My problems lie with the other filters, the ones at the end:
> >
> > filter F_edge         { host("edge*") or host("122.21.*"); };
> > filter F_router       { host("gw*") or host("rtr") or host("mmsc"); };
> > filter F_switch       { host("sw*") or host("sw1") or host("sw2"); };
> > filter F_firewall     { host("^fw*") or host("^mlm*-*") or
> > host("^cm*"); };
> > filter F_dc           { host("^mydc*") or host("^dc*"); };
> > filter F_accesspoints { host("^melanie*"); };
> > filter F_mailservers  { host("^mail*") or host("^smtpgw*"); };
> > filter F_proxies      { host("^proxygw*"); };
> > filter F_InternetIP   { host("161.17.10.*"); };
> >
> > The above, based on the filter rule for F_mailservers, should
> > place anything coming in from a host named mailserver1, or
> > smtpgw1 into destination D_mailservers, which in turn should
> > save logs into file named
> > /var/log/MyHosts/MailServers/$FULLHOST.log.  Instead I find
> > those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which
> > is really
> > /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.m
> > ycorp.net.log)
> 
> It would be nice to see at least a log entry from the file. BTW
> how did the hostname appear twice in the destination filename?
> Either I overlooked something or you're not using exactly the
> same config you sent.
> 
> > I need to figure out a way to write the differences for hosts
> > that begin with pattern xxx (^xxx)? and those with xxx at the
> > end (*xxx) and those with xxx in the middle (*xxx)?, and for
> > the life of me, I can't fifure out why the above is sending
> > into Switches :-(
> 
> You've anchors in your filter regexps already. "^xxx", "xxx$",
> ".xxx." are what you need if I understand you correctly.
> 
> Regards,
> 
> Sandor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080508/a35adf8c/attachment.htm 