[syslog-ng] Syslog-ng writes log entries to 2 different logs

Burton Simonds burton at simondsfamily.com
Wed Sep 29 22:35:10 CEST 2010


Hi,
I have resolved this issue.   And yes it was a reg ex issue.  I had
not read the host() doc closely enough since I inherited the syslog
system intact, and at the time working, we just kept adding adding
hosts.

It wasn't a . that got me (although it easily could have), it was that
the switches filter was matching say, 10.10.10.1 and the firewall was
matching 10.10.10.10 . . .

So when a message was coming in from 10.10.10.10, it was being matched
by both filters.
I tested 2 possible resolutions for it, both seemed to work.
 The first was just putting a $ at the end and escaping the .

Second, I used host("10.10.10.10",type(string))

Thanks for the feedback!

Burton

On Mon, Sep 27, 2010 at 8:57 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Mon, 2010-09-20 at 12:58 -0400, Burton Simonds wrote:
>> I am using syslog-ng 3.1.2 and I am having a problem that I can not figure out.
>>
>> Our network gear sends messages to syslog-ng, and then it filters them
>> based on device type, and name.
>>
>> There is one firewall, that is matching both the firewalls filter and
>> the switches filter, and is subsequently writing to both locations.
>>
>> in the example below, host 1.2.3.5  is logging to both the switches
>> log dir and the firewalls log dir even though it is only referenced in
>> the firewalls filter.
>>
>> Other then the obvious possibilities, (Yes, I have confirmed that the
>> ip address is only referenced in one filter) does anyone have any
>> ideas on what I should look at?
>
> host() takes a regular expression. Are you sure '.' (which matches any
> character) is not biting you here?
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list