[syslog-ng] problems with syslog-ng host filter

Balazs Scheidler bazsi77 at gmail.com
Wed Jun 26 06:05:28 CEST 2013 

Hi,

Don't forget that * matches zero occurrences too. In your come are filter
you used a prefix but with zero occurrences you will always match if the
domain name is right.

Try using + instead.
On Jun 24, 2013 11:49 PM, "Orangepeel Beef" <orangepeelbeef at gmail.com>
wrote:

> although updating it to .* seems to have solved the issue...
>
> I had tried various iterations of regexes, and none of them worked as
> expected.
>
> So I guess there must be a bug in syslog-ng for the patterns i had
> entered, if it behaved as you noted (matched csssssssssssssss  and
> rrrrrrrrrrrrrr  and lbbbbbbbbbbbbbbbbbbbbb)
>
> the lb logs would not have been matching the comware filter, but they
> were, and it wasn't just the lb logs, the comware filter matched pretty
> much any hostnames that i had.
>
> But i guess for now i'm up and running
>
>
>
>
>
> On Mon, Jun 24, 2013 at 2:24 PM, Orangepeel Beef <orangepeelbeef at gmail.com
> > wrote:
>
>> I probably need lb.*   but that isn't really the point as  the lb one is
>> matching the comware filter and there is no way that name matches anything
>> in the comware filter regex.
>>
>>
>> On Mon, Jun 24, 2013 at 2:04 PM, Balazs Scheidler <bazsi77 at gmail.com>wrote:
>>
>>> Are you sure you wanted lb*? It matches lb, lbb,lbbb and so on with ever
>>> increasing b-s.
>>>  On Jun 24, 2013 11:01 PM, "Orangepeel Beef" <orangepeelbeef at gmail.com>
>>> wrote:
>>>
>>>> I've got some strange problems with trying to use the syslog-ng host
>>>> filter.  It seems that every logline matches the filter f_comware but none
>>>> of them match f_netscaler.  It makes very little sense to me.  Reverse dns
>>>> is working as the logs that end up in /var/log/remote have the correct
>>>> hostname being logged from the $HOST template.
>>>>
>>>> I have a second issue that SEC does not die when syslog-ng is
>>>> restarted.  (I have used this setup in the past and have had no problems,
>>>> but i suppose things may have changed in both syslog-ng and sec since the
>>>> last time)
>>>>
>>>> This is driving me crazy.. please help ;)
>>>>
>>>>
>>>> #config
>>>>
>>>>
>>>> @version: 3.1
>>>> #
>>>> # Syslog-ng configuration file, compatible with default Debian syslogd
>>>>
>>>> # First, set some global options.
>>>> options { long_hostnames(on); flush_lines(0); use_dns(yes);
>>>> use_fqdn(yes);
>>>>  owner("syslog"); group("adm"); perm(0640); dns_cache_size(2000);
>>>> dns_cache_expire(21600);
>>>> dir_perm(0755); dir_group("adm"); stats_freq(0); log_fifo_size(200000);
>>>> create_dirs(yes);
>>>> bad_hostname("^gconfd$"); chain_hostnames(no); keep_hostname(no);
>>>> };
>>>>
>>>> source s_remote { udp();tcp(); };
>>>>
>>>> destination d_remote {
>>>> file("/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" template("$R_DATE $HOST
>>>> $MSG\n") template_escape(no)); };
>>>>
>>>> destination d_netscaler { program("/usr/local/sbin/sec_netscaler"
>>>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>>>
>>>> destination d_comware { program("/usr/local/sbin/sec_comware"
>>>> template("$R_DATE $HOST $MSG\n") template_escape(no)); };
>>>>
>>>>
>>>> filter f_netscaler { host("lb*ae1.mydomain.com"); };
>>>> filter f_comware { host("(as|cs|r)*ae1.mydomain.com"); };
>>>>
>>>> log { source(s_remote); destination(d_remote); };
>>>> log { source(s_remote); filter(f_netscaler); destination(d_netscaler);
>>>> };
>>>> log { source(s_remote); filter(f_comware); destination(d_comware); };
>>>>
>>>>
>>>> #debug logs
>>>> [13:38:54]  Filter rule evaluation result; filter_result='match',
>>>> filter_rule='f_comware'
>>>> [13:38:56]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>>>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 0\'s
>>>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>>>> [13:38:58]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>>> [13:39:00]  Filter node evaluation result; filter_result='not-match'
>>>> [13:39:02]  Filter rule evaluation result; filter_result='not-match',
>>>> filter_rule='f_netscaler'
>>>> [13:39:04]  Filter rule evaluation begins; filter_rule='f_comware'
>>>> [13:39:06]  Filter node evaluation result; filter_result='match'
>>>> [13:39:08]  Filter rule evaluation result; filter_result='match',
>>>> filter_rule='f_comware'
>>>> [13:39:10]  Incoming log entry; line='<190>Jun 21 20:37:54 2013
>>>> R0507S3Z3AE1 %%10MSTP/6/MSTP_FORWARDING(l): -DevIP=x.x.x.x; Instance 1\'s
>>>> Ten-GigabitEthernet1/0/2 has been set to forwarding state.'
>>>> [13:39:12]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>>> [13:39:14]  Filter node evaluation result; filter_result='not-match'
>>>> [13:39:16]  Filter rule evaluation result; filter_result='not-match',
>>>> filter_rule='f_netscaler'
>>>> [13:39:18]  Filter rule evaluation begins; filter_rule='f_comware'
>>>> [13:39:20]  Filter node evaluation result; filter_result='match'
>>>> [13:39:22]  Filter rule evaluation result; filter_result='match',
>>>> filter_rule='f_comware'
>>>> [13:39:24]  Incoming log entry; line='<134> 06/21/2013:20:37:54 GMT
>>>> lb1o1ae1 0-PPE-2 : UI CMD_EXECUTED 232044114 0 :  User nsroot - Remote_ip
>>>> x.x.x.x - Command "login nsroot "********"" - Status "Success"'
>>>> [13:39:26]  Initializing destination file writer;
>>>> template='/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log',
>>>> filename='/var/log/remote/lb1o1ae1.mydomain.com/2013-06-21.log'
>>>> [13:39:28]  Filter rule evaluation begins; filter_rule='f_netscaler'
>>>> [13:39:31]  Filter node evaluation result; filter_result='not-match'
>>>> [13:39:33]  Filter rule evaluation result; filter_result='not-match',
>>>> filter_rule='f_netscaler'
>>>> [13:39:35]  Filter rule evaluation begins; filter_rule='f_comware'
>>>> [13:39:37]  Filter node evaluation result; filter_result='match'
>>>> [13:39:39]  Filter rule evaluation result; filter_result='match',
>>>> filter_rule='f_comware'
>>>> [13:39:41]  ^CTermination requested via signal, terminating;
>>>> [13:39:43]  syslog-ng shutting down; version='3.1.3'
>>>>
>>>>
>>>> #logs in /var/log/remote/lb2z2ae1.mydomain.com
>>>> Jun 21 20:23:34 lb2z2ae1.mydomain.com 20:23:34 GMT lb2z2ae1 0-PPE-3 :
>>>> UI CMD_EXECUTED 28261 0 :  User nsroot - Remote_ip x.x.x.x - Command "show
>>>> service GL-AE1-2AZ1-DB0001_9191" - Status "Success"
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130626/a91209c7/attachment-0001.htm

More information about the syslog-ng mailing list