[syslog-ng] problems with syslog-ng host filter

Mon Jun 24 23:24:24 CEST 2013

I probably need lb.*   but that isn't really the point as  the lb one is
matching the comware filter and there is no way that name matches anything
in the comware filter regex.

On Mon, Jun 24, 2013 at 2:04 PM, Balazs Scheidler <bazsi77 at gmail.com> wrote:

> Are you sure you wanted lb*? It matches lb, lbb,lbbb and so on with ever
> increasing b-s.
>  On Jun 24, 2013 11:01 PM, "Orangepeel Beef" <orangepeelbeef at gmail.com>
> wrote:
>
>> I've got some strange problems with trying to use the syslog-ng host
>> filter.  It seems that every logline matches the filter f_comware but none
>> of them match f_netscaler.  It makes very little sense to me.  Reverse dns
>> is working as the logs that end up in /var/log/remote have the correct
>> hostname being logged from the $HOST template.
>>
>> I have a second issue that SEC does not die when syslog-ng is restarted.
>>  (I have used this setup in the past and have had no problems, but i
>> suppose things may have changed in both syslog-ng and sec since the last
>> time)
>>
>> This is driving me crazy.. please help ;)
>>
>>
>> #config
>>
>>
>> @version: 3.1
>> #
>> # Syslog-ng configuration file, compatible with default Debian syslogd
>>
>> # First, set some global options.
>> options { long_hostnames(on); flush_lines(0); use_dns(yes); use_fqdn(yes);
>>  owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000);
>> dns_cache_expire(21600);
>> dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000);
>> create_dirs(yes);
>> bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);
>> };
>>
>> source s_remote { udp();tcp(); };
>>
>> destination d_remote { file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log"
>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>
>> destination d_netscaler { program("/usr/local/sbin/sec_netscaler"
>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>
>> destination d_comware { program("/usr/local/sbin/sec_comware"
>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>
>>
>> filter f_netscaler { host("lb*ae1.mydomain.com"); };
>> filter f_comware { host("(as|cs|r)*ae1.mydomain.com"); };
>>
>> log { source(s_remote); destination(d_remote); };
>> log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };
>> log { source(s_remote); filter(f_comware); destination(d_comware); };
>>
>>
>> #debug logs
>> [13:38:54]  Filter rule evaluation result; filter_result='match',
>> filter_rule='f_comware'
>> [13:38:56]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s
>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>> [13:38:58]  Filter rule evaluation begins; filter_rule='f_netscaler'
>> [13:39:00]  Filter node evaluation result; filter_result='not-match'
>> [13:39:02]  Filter rule evaluation result; filter_result='not-match',
>> filter_rule='f_netscaler'
>> [13:39:04]  Filter rule evaluation begins; filter_rule='f_comware'
>> [13:39:06]  Filter node evaluation result; filter_result='match'
>> [13:39:08]  Filter rule evaluation result; filter_result='match',
>> filter_rule='f_comware'
>> [13:39:10]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s
>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>> [13:39:12]  Filter rule evaluation begins; filter_rule='f_netscaler'
>> [13:39:14]  Filter node evaluation result; filter_result='not-match'
>> [13:39:16]  Filter rule evaluation result; filter_result='not-match',
>> filter_rule='f_netscaler'
>> [13:39:18]  Filter rule evaluation begins; filter_rule='f_comware'
>> [13:39:20]  Filter node evaluation result; filter_result='match'
>> [13:39:22]  Filter rule evaluation result; filter_result='match',
>> filter_rule='f_comware'
>> [13:39:24]  Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT
>> lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 :  User nsroot - Remote_ip
>> x.x.x.x - Command "login nsroot "********"" - Status "Success"'
>> [13:39:26]  Initializing destination file writer;
>> template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log',
>> filename='/var/log/remote/lb1o1ae1.mydomain.com/2013-06-21.log'
>> [13:39:28]  Filter rule evaluation begins; filter_rule='f_netscaler'
>> [13:39:31]  Filter node evaluation result; filter_result='not-match'
>> [13:39:33]  Filter rule evaluation result; filter_result='not-match',
>> filter_rule='f_netscaler'
>> [13:39:35]  Filter rule evaluation begins; filter_rule='f_comware'
>> [13:39:37]  Filter node evaluation result; filter_result='match'
>> [13:39:39]  Filter rule evaluation result; filter_result='match',
>> filter_rule='f_comware'
>> [13:39:41]  ^CTermination requested via signal, terminating;
>> [13:39:43]  syslog-ng shutting down; version='3.1.3'
>>
>>
>> #logs in /var/log/remote/lb2z2ae1.mydomain.com
>> Jun 21 20:23:34 lb2z2ae1.mydomain.com 20:23:34 GMT lb2z2ae1 0-PPE-3 : UI
>> CMD_EXECUTED 28261 0 :  User nsroot - Remote_ip x.x.x.x - Command "show
>> service GL-AE1-2AZ1-DB0001_9191" - Status "Success"
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130624/311a9927/attachment-0001.htm 