[syslog-ng] program_override("kernel") not working in 3.0.4

Lance Laursen lance at demonware.net
Tue Jan 5 04:16:53 CET 2010 

On Mon, Jan 4, 2010 at 7:07 PM, Paul B. Henson <henson at acm.org> wrote:

>
> I'm trying to upgrade from 2.1.3 to 3.0.4 under Linux, and am having
> trouble getting my kernel messages tagged appropriately.
>
> My previous configuration had the following:
>
> -----
> source k_src { pipe("/proc/kmsg" log_prefix("kernel: ")); };
>
> destination iptables { file("/var/log/iptables.log"); };
> filter f_iptables { match("iptables:"); };
> log { source(k_src); filter(f_iptables); destination(iptables);
> flags(final); };
>
> destination messages { file("/var/log/messages"); };
> log { source(src); source(k_src); destination(messages); };
> -----
>
> All of my kernel messages showed up with the "kernel:" prefix, and anything
> coming from iptables was dropped in a separate log.
>
> Based on the documentation, I modified my configuration to the following
> for 3.0.4:
>
> -----
> source k_src { file("/proc/kmsg" program_override("kernel")); };
>
> destination iptables { file("/var/log/iptables.log"); };
> filter f_iptables { program("^kernel$") and message("^iptables:"); };
> log { source(k_src); filter(f_iptables); destination(iptables);
> flags(final); };
>
> destination messages { file("/var/log/messages"); };
> log { source(src); source(k_src); destination(messages); };
> -----
>
> However, my kernel messages show up with no prefix. I tried starting up in
> debug mode:
>
> -----
> syslog-ng starting up; version='3.0.4'
> Incoming log entry; line='<6>usb 2-7: USB disconnect, address 8'
> Filter rule evaluation begins; filter_rule='f_iptables'
> Filter node evaluation result; filter_result='not-match'
> Filter node evaluation result; filter_result='not-match', filter_type='AND'
> Filter rule evaluation result; filter_result='not-match',
> filter_rule='f_iptables'
> Initializing destination file writer; template='/var/log/messages',
> filename='/var/log/messages'
> Incoming log entry; line='<4>iptables: IN=eth0 OUT=
> MAC=0:05:00:10:97:43:00:0SC147.5.2 S=2... E=8TS00 RC0C T= D363POO2'
> Filter rule evaluation begins; filter_rule='f_iptables'
> Filter node evaluation result; filter_result='not-match'
> Filter node evaluation result; filter_result='not-match', filter_type='AND'
> Filter rule evaluation result; filter_result='not-match',
> filter_rule='f_iptables'
> -----
>
> This didn't help me. Am I doing something wrong? I didn't find any
> complaints of this nature on the mailing list, which leads me to suspect
> I'm somehow being stupid, any pointers much appreciated.
>
> Thanks...
>
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst  |  henson at csupomona.edu
> California State Polytechnic University  |  Pomona CA 91768
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>

Hello!

Syslog-ng 3.0.5 has the following in its bugfixes update:

* Fixed host_override/program_override options that were broken in 3.0.4.

I'd grab version 3.0.5 regardless as it is a recommended upgrade with a
number of bugfixes.


-- 
Lance Laursen
Demonware Systems Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100104/70e9ede6/attachment.htm

More information about the syslog-ng mailing list