Hi all,<br><br>I'm just starting to work with syslog-ng. We're setting up a loghost that will be collecting logs from a number of applicatoin servers, and I want to split them up based on whether they're application logs or system logs. The application is logging to local syslogs using the facility local5, but I'm having trouble filtering on that in syslog-ng. I couldn't find any documentation that indicates this can't be done so I'm wondering what I might be doing wrong. Here's the relevant part of my
syslog-ng.conf file:<br><br>source s_udp {<br> udp( ip(<a href="http://0.0.0.0">0.0.0.0</a>) port(514) );<br>};<br><br>destination d_application { file("/var/log/application.log"); };<br>destination d_syslog { file("/var/log/syslog"); };
<br><br>filter f_my_servers { host(h-001) or host(h-002) or host(h-003); };<br><br>filter f_test1 { facility(local5) and filter(f_my_servers); };<br><br>filter f_test2 { filter(f_my_servers); };<br><br><br>log { source(s_udp); filter(f_test1); destination(d_application); flags(final); };
<br>log { source(s_udp); filter(f_test2); destination(d_syslog); flags(final); };<br><br>With the above configuration anything that comes in from one of the hosts as local5.* should get written to /var/log/application.log and everything else from those hosts should get written to /var/log/syslog, right? But if I log into one of these hosts and perform a test:
<br><br>[root@h-001 ~]# logger -t <a href="http://local5.info">local5.info</a> test<br><br>The test message always ends up getting logged in /var/log/syslog. Does syslog-ng allow remote filtering based on the local5 facility, or am I doing something wrong here?
<br><br>-Bruce<br><br>