see below Reproducible: Always Steps to Reproduce: 1.syslog-ng build with following USE flags: pcre ssl tcpd (see emerge --info below) 2. syslog-ng is configuration (/etc/syslog-ng/syslog-ng.conf) @version: 3.0 ... source net { udp(ip(10.24.14.12) keep_timestamp(no) keep_hostname(yes) ); }; ... destination blinkylog { file("/var/log/blinky" suppress(120)); }; destination pinkylog { file("/var/log/pinky" suppress(120)); }; destination inkylog { file("/var/log/inky" suppress(120)); }; ... filter f_blinky { host("blinky"); }; filter f_pinky { host("pinky"); }; filter f_inky { host("inky"); }; ... log { source(net); filter(f_blinky); destination(blinkylog); }; log { source(net); filter(f_pinky); destination(pinkylog); }; log { source(net); filter(f_inky); destination(inkylog); }; Actual Results: syslog output collected from mentioned hosts actually goes to three destinations: * from host blinky it goes to /var/log/blinky * from host pinky it goes to /var/log/pinky * from host inky it goes to /var/log/inky BUT: /var/log/inky also contains output from both blinky and pinky. this actually means that filter expression 'host("...")' works improperly Expected Results: workaround available: ... filter f_blinky { netmask(10.24.14.16/32); }; filter f_pinky { netmask(10.24.14.17/32); }; filter f_inky { netmask(10.24.14.18/32); }; ... gives proper result: syslog output from different network sources goes to correspondent destination files the problem i've got is ether a bug or poor documentation: admin guide refers to quoted items as "expressions" however in is unclear how to deal with these expressions $ emerge --info app-admin/syslog-ng Portage 2.1.8.3 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.32-gentoo-r7 i686) ================================================================= System Settings ================================================================= System uname: Linux-2.6.32-gentoo-r7-i686-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-1.12.13 Timestamp of tree: Mon, 26 Apr 2010 03:45:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.0_p37 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4-r1 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA skype-eula dlj-1.1 PUEL" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=core2 -msse4.1 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=core2 -msse4.1 -fomit-frame-pointer -pipe" DISTDIR="/raid/0/6/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles" LANG="en_US.UTF8" LC_ALL="en_US.UTF8" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acpi alsa bash-completion berkdb bluetooth bzip2 cairo cli consolekit cracklib crypt cups cxx dri emacs exif fts3 gdbm gif gnome gpm gstreamer gtk hal iconv jpeg mmx modules mudflap ncurses nls nptl nptlonly nsplugin openmp pam pcre perl png pppd python readline reflection session spell spl sse sse2 ssl ssse3 svg sysfs tcpd threads tiff truetype type1 unicode wmf x86 xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= app-admin/syslog-ng-3.0.4 was built with the following: USE="pcre ssl tcpd -caps -hardened -ipv6 (-selinux) -spoof-source -sql -static"
The problem is not the documentation or a bug in the program but rather your understand of how regular expressions work. You need to review: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s06.html And follow the instructions there. In the case you've included in this bug for example, "inky" is a match for both "blinky" and "pinky" so of course all the messages will end up in that log.
