[syslog-ng] problem with filtering in syslog-ng
Evan Baer
evan.d.baer at gmail.com
Tue Feb 23 23:56:47 CET 2010
I pared down the log() lines and it worked and filtered as expected.
There was a trailing entry, at the end of the file, which seemed to be
causing the problem. Thanks for the help today!
On Tue, Feb 23, 2010 at 5:50 PM, Jerry Bell <jerry at nrdx.com> wrote:
> I am suspicious that the program() filter is not working as expected on
> these logs. Can you try to create a separate log file for just ntpd
> logs like this?
>
> filter ntpd {program("ntpd"); };
> destination d_ntpd { file("/var/log/ntpdtest"); };
> log { source(src); filter(ntpd); destination(d_ntpd); };
>
>
> That would tell us whether the program filter is actually interpreting
> the program field properly for these logs.
>
> Jerry
>
> On 2/23/2010 10:58 AM, Evan Baer wrote:
>> Same result, the ntpd lines still make it through.
>>
>>
>> On Tue, Feb 23, 2010 at 10:09 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
>>
>>> Try it without the *
>>>
>>> -----Original Message-----
>>> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Baer
>>> Sent: 23 February 2010 14:57
>>> To: Zoltán Pallagi
>>> Cc: Syslog-ng users' and developers' mailing list
>>> Subject: Re: [syslog-ng] problem with filtering in syslog-ng
>>>
>>> The ntpd lines are still falling through. Should I include the
>>> final() syntax on all my log lines?
>>>
>>> filter not_ntpd { not program("ntpd*"); };
>>>
>>> log { source(src); filter(f_notice); filter(f_not_authpriv);
>>> filter(not_ntpd); destination(messages); flags(final); };
>>> log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
>>> log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
>>> log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
>>>
>>> Here is an example of what we still see in the logs:
>>>
>>> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on interface #2
>>> lo0, 127.0.0.1#123 Enabled
>>> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on routing
>>> socket on fd #23 for interface updates
>>>
>>>
>>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list