<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE>Ver 1.9.5 problems with facility/level filtering</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Sorry (in advance) if this is a dimwitted question……</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I've slurped down and compiled these components on my Solaris 8 system:</FONT>
<BR><FONT SIZE=2 FACE="Arial">pkg-config-0.19; glib-2.8.1; eventlog-0.2.3+20050116+1856; and finally the non-snapshot flavor of syslog-ng 1.9.5.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Everything appears to have compiled OK, and I am able to load and execute syslog-ng, and it actually operates, albeit not exactly right (which is the driver for this email).</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I have a 1.6.8 version of syslog-ng that "eats" my (fairly simple) config file, and sorts thru the incoming syslog traffic, filtering it to one of three primary target files, based upon facility/level combinations. These log statements all use a flags-final setting. There is one final (fourth) log statement that feeds a catch-all file, with anything not distributed to the first three files. When using the 1.6.8 executable, these four files accumulate data, as anticipated (i.e. everything works just fine).</FONT></P>
<P><FONT SIZE=2 FACE="Arial">However, when I attempt to utilize the new 1.9.5 executable (on the same system), nothing is fed to the first three files. The only file getting any input is the final, catch-all file. Essentially, the only difference between the catch-all statement, and the filtered statements, is the existence of the filters on those statements, which reference filters similar to this:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">filter f_1 { facility(local5) and level(debug..emerg); };</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">It's not clear to me why the filtering activity is failing. Again, those filters are fine in a 1.6.8 setting.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">So… I'm looking for any input as to what might be a potential root problem. Obviously, there are a whole set of different pre-req components for the 1.9.5 world. I'm not sure if I'm dealing with some compatibility problem amongst the component versions that I've selected(?), or if the problem lies elsewhere.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Thanks for any and all input and suggestions.</FONT>
</P>
<P><B><FONT SIZE=2 FACE="Tahoma">Marvin Nipper</FONT></B>
<BR><FONT SIZE=2 FACE="Tahoma">Director of Security</FONT>
<BR><FONT SIZE=2 FACE="Tahoma">Stream</FONT>
<BR><A HREF="mailto:marvin.nipper@stream.com"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Tahoma">mailto:marvin.nipper@stream.com</FONT></U></A>
<BR><FONT SIZE=2 FACE="Tahoma">PGP Key ID: 0xD3EB5CE5 (RSA); 0x8EE28551 (DSS/DH)</FONT>
</P>
</BODY>
</HTML>