[syslog-ng] 2.0.x bug - filter(auth) fails to match

Evan Rempel erempel at uvic.ca
Wed Mar 28 22:19:27 CEST 2007 

With the following configuration

source local { unix-stream("/dev/log" max-connections(200));
                file("/proc/kmsg" log_prefix("kernel: "));
                internal(); };

template standard_file  { template("$ISODATE $FULLHOST $FACILITY.$LEVEL $PRI $MESSAGE\n"); template_escape(no); };

destination auth.log    { file("/var/syslog/auth.log.$YEAR$MONTH$DAY.000000"    perm(0640) template(standard_file) ); };
destination unknown.log { file("/var/syslog/unknown.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
destination test.log    { file("/var/syslog/test.log.$YEAR$MONTH$DAY.000000"  perm(0640) template(standard_file) ); };


filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(^slapd); };

# ****** PROBLEM LOG LINE ****
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ****** PROBLEM LOG LINE ****

log { source(local); filter(f_auth); destination(auth.log); };

# safegaurd to catch anything missed by other filters
log { source(local); destination(unknown.log); flags(fallback); };


all of the log messages with the facility of auth go into the unknown.log file.

If I remove the problematic log line (to test.log) or change the order of its filters
or change the first filter to be other than f_local1 (even changing the f_local1 filter to match a different
facility) then everything works as expected.

All of these work fine

# -----------------------------------------------------
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(slapd); };
log { source(local); filter(f_auth); filter(f_ldap); destination(test.log); };

# -----------------------------------------------------
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(slapd); };
# log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };

# -----------------------------------------------------
filter f_auth         { facility(auth); };
filter f_local1       { facility(local0); };
filter f_ldap       { program(^slapd); };
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };

# -----------------------------------------------------
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(^slapd); };
filter f_test       { facility(local1) and program(^sldapd); };
log { source(local); filter(f_test); destination(test.log); };


So, how is the first example going wrong?

Evan.

More information about the syslog-ng mailing list