[syslog-ng] problems with syslog-ng host filter
    Orangepeel Beef 
    orangepeelbeef at gmail.com
       
    Mon Jun 24 23:49:07 CEST 2013
    
    
  
although updating it to .* seems to have solved the issue...
I had tried various iterations of regexes, and none of them worked as
expected.
So I guess there must be a bug in syslog-ng for the patterns i had entered,
if it behaved as you noted (matched csssssssssssssss  and rrrrrrrrrrrrrr
 and lbbbbbbbbbbbbbbbbbbbbb)
the lb logs would not have been matching the comware filter, but they were,
and it wasn't just the lb logs, the comware filter matched pretty much any
hostnames that i had.
But i guess for now i'm up and running
On Mon, Jun 24, 2013 at 2:24 PM, Orangepeel Beef
<orangepeelbeef at gmail.com>wrote:
> I probably need lb.*   but that isn't really the point as  the lb one is
> matching the comware filter and there is no way that name matches anything
> in the comware filter regex.
>
>
> On Mon, Jun 24, 2013 at 2:04 PM, Balazs Scheidler <bazsi77 at gmail.com>wrote:
>
>> Are you sure you wanted lb*? It matches lb, lbb,lbbb and so on with ever
>> increasing b-s.
>>  On Jun 24, 2013 11:01 PM, "Orangepeel Beef" <orangepeelbeef at gmail.com>
>> wrote:
>>
>>> I've got some strange problems with trying to use the syslog-ng host
>>> filter.  It seems that every logline matches the filter f_comware but none
>>> of them match f_netscaler.  It makes very little sense to me.  Reverse dns
>>> is working as the logs that end up in /var/log/remote have the correct
>>> hostname being logged from the $HOST template.
>>>
>>> I have a second issue that SEC does not die when syslog-ng is restarted.
>>>  (I have used this setup in the past and have had no problems, but i
>>> suppose things may have changed in both syslog-ng and sec since the last
>>> time)
>>>
>>> This is driving me crazy.. please help ;)
>>>
>>>
>>> #config
>>>
>>>
>>> @version: 3.1
>>> #
>>> # Syslog-ng configuration file, compatible with default Debian syslogd
>>>
>>> # First, set some global options.
>>> options { long_hostnames(on); flush_lines(0); use_dns(yes);
>>> use_fqdn(yes);
>>>  owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000);
>>> dns_cache_expire(21600);
>>> dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000);
>>> create_dirs(yes);
>>> bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);
>>> };
>>>
>>> source s_remote { udp();tcp(); };
>>>
>>> destination d_remote {
>>> file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" template("$R_DATE $HOST
>>> $MSG\n") template_escape(no)); };
>>>
>>> destination d_netscaler { program("/usr/local/sbin/sec_netscaler"
>>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>>
>>> destination d_comware { program("/usr/local/sbin/sec_comware"
>>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>>
>>>
>>> filter f_netscaler { host("lb*ae1.mydomain.com"); };
>>> filter f_comware { host("(as|cs|r)*ae1.mydomain.com"); };
>>>
>>> log { source(s_remote); destination(d_remote); };
>>> log { source(s_remote); filter(f_netscaler); destination(d_netscaler); };
>>> log { source(s_remote); filter(f_comware); destination(d_comware); };
>>>
>>>
>>> #debug logs
>>> [13:38:54]  Filter rule evaluation result; filter_result='match',
>>> filter_rule='f_comware'
>>> [13:38:56]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s
>>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>>> [13:38:58]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>> [13:39:00]  Filter node evaluation result; filter_result='not-match'
>>> [13:39:02]  Filter rule evaluation result; filter_result='not-match',
>>> filter_rule='f_netscaler'
>>> [13:39:04]  Filter rule evaluation begins; filter_rule='f_comware'
>>> [13:39:06]  Filter node evaluation result; filter_result='match'
>>> [13:39:08]  Filter rule evaluation result; filter_result='match',
>>> filter_rule='f_comware'
>>> [13:39:10]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s
>>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>>> [13:39:12]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>> [13:39:14]  Filter node evaluation result; filter_result='not-match'
>>> [13:39:16]  Filter rule evaluation result; filter_result='not-match',
>>> filter_rule='f_netscaler'
>>> [13:39:18]  Filter rule evaluation begins; filter_rule='f_comware'
>>> [13:39:20]  Filter node evaluation result; filter_result='match'
>>> [13:39:22]  Filter rule evaluation result; filter_result='match',
>>> filter_rule='f_comware'
>>> [13:39:24]  Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT
>>> lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 :  User nsroot - Remote_ip
>>> x.x.x.x - Command "login nsroot "********"" - Status "Success"'
>>> [13:39:26]  Initializing destination file writer;
>>> template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log',
>>> filename='/var/log/remote/lb1o1ae1.mydomain.com/2013-06-21.log'
>>> [13:39:28]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>> [13:39:31]  Filter node evaluation result; filter_result='not-match'
>>> [13:39:33]  Filter rule evaluation result; filter_result='not-match',
>>> filter_rule='f_netscaler'
>>> [13:39:35]  Filter rule evaluation begins; filter_rule='f_comware'
>>> [13:39:37]  Filter node evaluation result; filter_result='match'
>>> [13:39:39]  Filter rule evaluation result; filter_result='match',
>>> filter_rule='f_comware'
>>> [13:39:41]  ^CTermination requested via signal, terminating;
>>> [13:39:43]  syslog-ng shutting down; version='3.1.3'
>>>
>>>
>>> #logs in /var/log/remote/lb2z2ae1.mydomain.com
>>> Jun 21 20:23:34 lb2z2ae1.mydomain.com 20:23:34 GMT lb2z2ae1 0-PPE-3 :
>>> UI CMD_EXECUTED 28261 0 :  User nsroot - Remote_ip x.x.x.x - Command "show
>>> service GL-AE1-2AZ1-DB0001_9191" - Status "Success"
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130624/1caa6515/attachment.htm 
    
    
More information about the syslog-ng
mailing list