[syslog-ng] Logs sent to wrong destination

Renato Bezerra renatobamorim at gmail.com
Fri Jul 18 13:08:17 CEST 2014


Balazs, thanks for your help, I really thought that host() wore literal ip
address.

I'll try to adapt my filters to regexps pattern.


---
Renato Bezerra


2014-07-18 7:05 GMT-03:00 Balazs Scheidler <bazsi77 at gmail.com>:

> Please note that by default host() uses regexps where the '.' matches any
> character.
>
>
> On Thu, Jul 17, 2014 at 9:31 PM, Renato Bezerra <renatobamorim at gmail.com>
> wrote:
>
>> Hi Jakub,
>>
>> Thanks for the fast reply. I have others conf files, each one to a
>> different device type that I include on main configuration (just for
>> organization), all confs are based on "host" filter.
>>
>> The source is a tcp class on my main configuration, if you judge
>> necessary I can send the others confs, but on none of then i put this ip
>> address on filters.
>>
>>
>>
>>
>> ---
>> Renato Bezerra
>>
>>
>> 2014-07-17 16:16 GMT-03:00 Jakub Jankowski <shasta at toxcorp.com>:
>>
>> On 17.07.2014 21:09, Renato Bezerra wrote:
>>> > Hi,
>>> >
>>> > I'm using syslog-ng in a long time, but recently i noted that, in some
>>> > cases, the log has sent to a wrong destination.
>>> >
>>> > I have many devices sending logs to my host, the problem appears when
>>> > the server receive webservers logs, they are delivered to a different
>>> > destination and I don't known how.
>>> >
>>> > here is the configuration:
>>> >
>>> > destination apache {
>>> >         file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR"
>>> >         owner(ll)
>>> >         group(ll)
>>> >         perm(0644)
>>> >         dir_perm(0755)
>>> >         create_dirs(yes));
>>> > };
>>> >
>>> > filter f_apache {
>>> >      (
>>> >          host("xxx.xxx.xxx.82") or
>>> >          host("xxx.xxx.xxx.137")
>>> >      );
>>> > };
>>> >
>>> > log {
>>> >      source(aaa);
>>> >      filter(f_apache);
>>> >      destination(apache);
>>> > };
>>> >
>>> > The ip address xxx.xxx.xxx.137 send a duplicate log event to another
>>> > directory, without any other configuration.
>>> >
>>> > Have you seen this?
>>>
>>> Well, is that your *entire* configuration? I very much doubt so. You
>>> should post the entire config, not just this snippet. How are we
>>> supposed to know what this "another directory" is, and what filtering
>>> you apply in the log {} block that sends logs to it?
>>>
>>>
>>>
>>> J.
>>>
>>>
>>> --
>>> Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
>>> GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140718/296b12e6/attachment-0001.htm 


More information about the syslog-ng mailing list