[syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
wiskbroom at hotmail.com
wiskbroom at hotmail.com
Thu May 8 20:03:23 CEST 2008
That is *exactly* what I am doing, no?
log { source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final); };
# above catches inbound, from a remote host udp only, with pattern matching F_mailservers, sending it down the path of D_mailservers.
log { source(S_udp); destination(D_udp);};
# The above is a catchall, nothing seems to go into here.
???
.vp
> From: Joe.Fegan at hp.com
> To: syslog-ng at lists.balabit.hu
> Date: Thu, 8 May 2008 17:44:53 +0000
> Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
>
> It's usually best to put the "always do this" rules first and the "stop if this rule is matched" rules afterwards. Syslog-ng works down the list of rules from the top like this pseudo-code:
>
> foreach rule in ruleslist {
> if (message matches rule) {
> send message down this path
> if (rule has flags(final) in it) {
> break
> }
> }
> }
>
> So if a flags(final) rule gets satisfied then no subsequent rule will even be evaluated.
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Geller, Sandor (IT)
> Sent: 08 May 2008 18:05
> To: 'Syslog-ng users' and developers' mailing list'
> Subject: Re: [syslog-ng] Problems With Filter Rules - Using First Rule, Not One Intended
>
> Hi,
>
> > My problems lie with the other filters, the ones at the end:
> >
> > filter F_edge { host("edge*") or host("122.21.*"); };
> > filter F_router { host("gw*") or host("rtr") or host("mmsc"); };
> > filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
> > filter F_firewall { host("^fw*") or host("^mlm*-*") or
> > host("^cm*"); };
> > filter F_dc { host("^mydc*") or host("^dc*"); };
> > filter F_accesspoints { host("^melanie*"); };
> > filter F_mailservers { host("^mail*") or host("^smtpgw*"); };
> > filter F_proxies { host("^proxygw*"); };
> > filter F_InternetIP { host("161.17.10.*"); };
> >
> > The above, based on the filter rule for F_mailservers, should
> > place anything coming in from a host named mailserver1, or
> > smtpgw1 into destination D_mailservers, which in turn should
> > save logs into file named
> > /var/log/MyHosts/MailServers/$FULLHOST.log. Instead I find
> > those logs in /var/log/MyHosts/Switches/$FULLHOST.log (which
> > is really
> > /var/log/MyHosts/Switches/mailserver1.mycorp.net/mailserver1.m
> > ycorp.net.log)
>
> It would be nice to see at least a log entry from the file. BTW
> how did the hostname appear twice in the destination filename?
> Either I overlooked something or you're not using exactly the
> same config you sent.
>
> > I need to figure out a way to write the differences for hosts
> > that begin with pattern xxx (^xxx)? and those with xxx at the
> > end (*xxx) and those with xxx in the middle (*xxx)?, and for
> > the life of me, I can't fifure out why the above is sending
> > into Switches :-(
>
> You've anchors in your filter regexps already. "^xxx", "xxx$",
> ".xxx." are what you need if I understand you correctly.
>
> Regards,
>
> Sandor
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080508/8874d383/attachment-0001.htm
More information about the syslog-ng
mailing list