[syslog-ng]Re: bug? OR dont seem to work right.

Balazs Scheidler bazsi@balabit.hu
Mon, 29 Jan 2001 11:07:21 +0100 

On Fri, Jan 19, 2001 at 04:36:39PM +0100, Samuel Krempp wrote:
> You could not reproduce it ?
> maybe it is specific to my platform then..
> PC Debian Woody (up to date), syslog-ng deb package version 1.4.10-1..
> 
> Here is more details on my setup and results, and I attach my complete
> syslog-ng.conf
> (only the begining of my syslog-ng.conf differs from debian's default
> config), and a full piece of 'try.log'.


> (chosen bits : )
> Jan 19 16:13:33 zamok syslog-ng[6453]: syslog-ng version 1.4.10 starting
> Jan 19 16:13:33 zamok imapd[6455]: connect from kino.crans.org
> Jan 19 16:13:35 zamok imapd[6458]: Logout user=szakacs
> host=localhost.crans.org [127.0.0.1]
> Jan 19 16:13:37 zamok sshd2[386]: connection from "138.231.137.199"
> Jan 19 16:13:37 zamok sshd[6460]: log: Generating 768 bit RSA key.
> Jan 19 16:14:17 zamok cucipop[6496]: arlais 127.0.0.1 0, 0 (0), 0 (0)
> Jan 19 16:14:17 zamok stunnel[6495]: Connection closed: 191 bytes sent to
> SSL, 39 bytes sent to socket

As I see in your config, everything logging under local3 is sent to trylog.
Might that be a problem? I tried the following configuration and messages
and everything was logged correctly:

---- syslog-ng.conf ----
source src { internal(); tcp(localport(1999)); };
destination allmsg { file("allmsg"); };
destination trylog { file("trylog"); };

filter f_ssh { facility(local3); };

filter f_separe { program("(tunnel)|(dhcp)|(squid)"); };
filter f_try { filter(f_separe) or filter(f_ssh); };

log { source(src);  destination(allmsg); };
log { source(src);  filter(f_try);   destination(trylog); };
--------

#test1

balabit:~/src/syslog-ng-1.5/src$ echo "<152> This is local3.emerg message" | nc localhost 1999
balabit:~/src/syslog-ng-1.5/src$ cat allmsg
Jan 29 10:59:10 localhost/localhost This is local3.emerg message
balabit:~/src/syslog-ng-1.5/src$ cat trylog
Jan 29 10:59:10 localhost/localhost This is local3.emerg message

Thus the message passed the f_try() filter. 

#test2

A message with tunnel in the program name and with facility != local3:

balabit:~/src/syslog-ng-1.5/src$ echo "Jan 19 16:14:32 zamok stunnel[6514]: tunnel-pop connected from" | nc localhost 1999
balabit:~/src/syslog-ng-1.5/src$ cat allmsg
Jan 29 10:59:10 localhost/localhost This is local3.emerg message
Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from
balabit:~/src/syslog-ng-1.5/src$ cat trylog
Jan 29 10:59:10 localhost/localhost This is local3.emerg message
Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from

This passed the filter as well. 

#test3 

Now a message with facility != local3, and not matching program name:

balabit:~/src/syslog-ng-1.5/src$ echo "Jan 19 16:14:32 zamok krixkrax[6514]: tunnel-pop connected from" | nc localhost 1999
balabit:~/src/syslog-ng-1.5/src$ cat allmsg
Jan 29 10:59:10 localhost/localhost This is local3.emerg message
Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from
Jan 19 16:14:32 zamok/localhost krixkrax[6514]: tunnel-pop connected from
balabit:~/src/syslog-ng-1.5/src$ cat trylog
Jan 29 10:59:10 localhost/localhost This is local3.emerg message
Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from

So this one did not go through as it is the correct behaviour. My system is
running Debian GNU/Linux potato r2.2.

You might strace the programs sending those messages and check which
facility they really use. (though if they use local3, the messages should've
shown up in ssh.log as well)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt