[syslog-ng]filter(DEFAULT)
Andrew Fort
afort@staff.webcentral.com.au
Wed, 13 Dec 2000 15:07:42 +1000
> What I have tried to do is log each service to its own file. At the
> very bottom of the conf file I put:
>
> log { source(src); filter(f_host1); filter(DEFAULT);
> destination(host1_messages); };
> etc. for host2 and host3
>
> and finally another log line with ONLY filter(DEFAULT) for things that
> don't get matched at all (which should never happen).
>
> However, what I am seeing appears to be that my host()
> filters are being
> ignored when using the DEFAULT filter with it. In other words,
> unmatched log entries for host2 and host3 are appearing in
> host1_messages.
>
> Is that correct behavior?
It's the documented behaviour.
Currently, I dont think syslog-ng can do "anything not already caught for
this host" type filters; it's filtering logic is a little bit simpler than
this..
The filter patch suggested for 1.5.0 (development release) forces the
filters to be evaluated in the order they appear in the file, but
essentially the logic is:
- For each log line, match what is in the filter statement. If we get a
hit, set the "match" flag.
- Repeat for all futher filters (so multiple filters cause multiple
matches, but match still =1).
- When syslog-ng tests the "DEFAULT" filter, it only performs its action if
match=0.
This allows multiple filters to match out to multiple locations (useful),
but doesn't allow the (arguably) also useful feature of excluding particular
things as we go.
I hope I got this right, I hope I'm close (this is the bit of syslog-ng i've
been studying lately :)
--
afort