i am having some trouble filtering messages coming from a few sources (HP Switches) and i would like to have some advices.
i have a huge syslog-NG configuration file, filtering messages coming from many different sources (Unix servers, NAS filers, appliances, etc.)
i generally filter messages using the host() function, or filter(), or even program().
however, i am having trouble filtering messages coming from some HP switches (network & san switches), while the message format seem to be correct.
example, i'm receiving messages such as :
Mar 14 10:40:48 switchname program: message contents here
and i created a filter like this (used in a log function later):
filter f_network {
host("switch*");
};
but it does not work (while all others are working, for other kind of devices) i also tried to filter on the program name, same problem.
is there a way to investigate on this and understand why it is not working ? maybe the message is formatted differently and the host field is not this one (i tried all the other fields and didn't manage to make it work)
when sniffing the network interface using tcpdump, i can see a normal message (no special characters hidden or other, apparently, but maybe i'm not using the right flags)
any way of checking this ?
thanks regards
this problem is solved somehow (because of the priority).
I made a new topic here for another error I get with a more complex syslog message : unable to filter badly-formatted messages in syslog-ng