<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE>.hmmessage P {
PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
FONT-SIZE: 10pt; FONT-FAMILY: Tahoma
}
</STYLE>
<META content="MSHTML 6.00.2900.3314" name=GENERATOR></HEAD>
<BODY class=hmmessage>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>Your config seems a bit odd and maybe overly complex.
Here's how I read it, please let us know if this is how you intend it to
work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>Your sources:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>S_dgram = only messages from local processes that call
syslog()</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>S_internal = only internal messages from syslog-ng on this
node</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>S_kernel = only messages from the kernel on this
node</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>S_tcp = only TCP messages from other nodes</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>S_udp = only UDP messages from other
nodes</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>Your log paths tell syslog-ng to behave as:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008>log { source(S_udp);
destination(D_db_mysql); };</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>All UDP messages from other nodes should be sent to
mysql.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial>log {
source(S_udp); destination(D_sec); };</FONT></SPAN></DIV><FONT face=Arial
color=#0000ff></FONT>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>All UDP messages from other nodes should be sent to
D_sec.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff><FONT color=#000000>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp);
filter(F_auth); destination(D_authlog);
flags(final); };</FONT><BR>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>All messages matching F_auth and coming either from local
syslog(), local syslog-ng internal or via TCP from other nodes (but
not via UDP) should be sent to D_authlog. If you send a message down this
path then don't bother evaluating any other
paths.</FONT></SPAN></DIV></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff><FONT
color=#000000></FONT></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff><FONT color=#000000>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_local7);
destination(D_bootlog); flags(final); };</FONT><BR>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008><FONT face=Arial
color=#0000ff>All messages matching F_local7 and coming either from
local syslog(), local syslog-ng internal or via TCP from other nodes
(but not via UDP) should be sent to D_bootlog. If you send a message down
this path then don't bother evaluating any other paths.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008>Then there's a bunch of
other log paths in the same vein.</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=390175515-08052008></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN
class=390175515-08052008></SPAN> </DIV></DIV></FONT>
<DIV><BR></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of
</B>wiskbroom@hotmail.com<BR><B>Sent:</B> 08 May 2008 15:13<BR><B>To:</B>
Syslog-ng users' and developers' mailing list<BR><B>Subject:</B> [syslog-ng]
Problems With Filter Rules - Using First Rule, Not One
Intended<BR></FONT><BR></DIV>
<DIV></DIV>
<P class=MsoNormal>Greetings;<BR><BR>My setup works well with one exception, my
filtering rules contained in my syslog-ng.conf do not appear to work
properly. My logs are not lost, instead they end up in a directory which I
did not intend them to be in. <BR><BR>Background: I log to a MySql DB, flatfiles
and finally, to SEC, which parses stuff and takes various actions (almost
working ;-)<BR></P>
<P class=MsoNormal><BR>For ease of reading, I will simply add the contents of my
config file which pertains to just one filter.</P>
<P class=MsoNormal>Many thanks in advance for taking the time to read and help
me.<BR><BR>.vp<BR></P>
<P class=MsoNormal><BR>############<BR># OPTIONS
#<BR>############<BR><BR>options<BR> {<BR>
chain_hostnames(no);<BR> create_dirs
(yes);<BR> dir_perm(0755);<BR> use_dns
(yes);<BR> dns_cache(yes);<BR>
dns_cache_size(1000);<BR>
dns_cache_expire(604800);<BR>
keep_hostname(yes);<BR>
log_fifo_size(10000);<BR>
log_msg_size(8192);<BR>
long_hostnames(on);<BR> perm(0644);<BR>
stats(3600);<BR> sync(0);<BR> time_reopen
(10);<BR> use_dns(yes);<BR>
use_fqdn(yes);<BR> };<BR><BR>############<BR>#
SOURCES #<BR>############<BR><BR>source
S_dgram<BR> { unix-dgram("/dev/log"); };<BR><BR>source
S_internal<BR> { internal(); };<BR><BR>source S_kernel<BR> {
file("/proc/kmsg" log_prefix("kernel: ")); };<BR><BR>source S_tcp<BR> {
tcp(port(4800) keep-alive(yes) max_connections(100)); };<BR><BR>source S_udp {
udp(ip("0.0.0.0") port(514)); };<BR><BR>###############<BR># DEST SQL
DB
#<BR>###############<BR><BR>destination D_db_mysql
{<BR>
pipe("/var/log/mysql.pipe"<BR>
template("INSERT INTO
logs<BR>
(host, facility, priority, level, tag, datetime, program,
msg)<BR>
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC',<BR>
'$PROGRAM', '$MSG' );\n")
template-escape(yes));<BR>};<BR><BR>##############<BR>#
DESTINATIONS #<BR>##############<BR><BR>destination
D_authlog { file("/var/log/auth.log");
};<BR>destination D_bootlog {
file("/var/log/boot.log"); };<BR>destination
D_debug {
file("/var/log/debug"); };<BR>destination
D_explan {
file("/var/log/explanations"); };<BR>destination D_messages {
file("/var/log/messages"); };<BR>destination
D_secure { file("/var/log/secure");
};<BR>destination D_spooler {
file("/var/log/spooler"); };<BR>destination
D_syslog { file("/var/log/syslog");
};<BR>destination
D_user {
file("/var/log/user.log"); };<BR><BR>destination
D_switch {
file("/var/log/MyHosts/Switches/$FULLHOST.log"<BR>
perm(0644)); };<BR>destination
D_edge {
file("/var/log/MyHosts/EdgeDevices/$FULLHOST.log"<BR>
perm(0644)); };<BR>destination D_firewall {
file("/var/log/MyHosts/Firewalls/$FULLHOST.log"<BR>
owner(root) group(root) perm(0644) dir_perm(0700) create_dirs(yes));
};<BR>destination D_router {
file("/var/log/MyHosts/Routers/$FULLHOST.log"<BR>
perm(0644)); };<BR>destination D_accesspoints {
file("/var/log/MyHosts/AccessPoints/$FULLHOST.log"<BR>
perm(0644)); };<BR>destination D_mailservers {
file("/var/log/MyHosts/MailServers/$FULLHOST.log"<BR>
perm(0644)); };<BR><BR>###########<BR>#
FILTERS
#<BR>###########<BR><BR>filter
F_auth { facility(auth,
authpriv); };<BR>filter
F_authpriv { facility(authpriv);
};<BR>filter
F_cron { facility(cron);
};<BR>filter
F_daemon { facility(daemon);
};<BR>filter
F_kern { facility(kern);
};<BR>filter
F_local1 { facility(local1);
};<BR>filter
F_local2 { facility(local2);
};<BR>filter
F_local3 { facility(local3);
};<BR>filter
F_local4 { facility(local4);
};<BR>filter
F_local5 { facility(local5);
};<BR>filter
F_local6 { facility(local6);
};<BR>filter
F_local7 { facility(local7);
};<BR>filter
F_lpr { facility(lpr);
};<BR>filter
F_mail { facility(mail);
};<BR>filter F_messages {
facility(daemon, kern, user); };<BR>filter
F_news { facility(news);
};<BR>filter
F_spooler { facility(uucp,news) and level(crit);
};<BR>filter
F_syslog { not facility(auth, authpriv) and
not facility(mail); };<BR>filter
F_user { facility(user);
};<BR><BR>filter
F_crit { level(crit);
};<BR>filter
F_debug { level(debug);
};<BR>filter F_emergency {
level(emerg); };<BR>filter
F_err { level(err);
};<BR>filter
F_info { level(info);
};<BR>filter
F_notice { level(notice);
};<BR>filter
F_warn { level(warn);
};<BR><BR>filter F_edge {
host("edge*") or host("122.21.*"); };<BR>filter
F_router { host("gw*") or host("rtr") or
host("mmsc"); };<BR>filter F_switch {
host("sw*") or host("sw1") or host("sw2"); };<BR>filter
F_firewall { host("^fw*") or host("^mlm*-*") or
host("^cm*"); };<BR>filter
F_dc {
host("^mydc*") or host("^dc*"); };<BR>filter F_accesspoints { host("^melanie*");
};<BR>filter F_mailservers { host("^mail*") or host("^smtpgw*");
};<BR>filter F_proxies { host("^proxygw*");
};<BR>filter F_InternetIP { host("161.17.10.*");
};<BR><BR>##############<BR>#
LOGS
#<BR>##############<BR><BR>log { source(S_udp); destination(D_db_mysql);
};<BR><BR># Send ALL logs to SEC<BR><BR># log { source(S_dgram);
source(S_internal); source(S_tcp); filter(F_auth); destination(D_sec);
};<BR><BR># log { source(S_udp); source(S_tcp); destination(D_sec);
};<BR><BR>log { source(S_udp); destination(D_sec); };<BR><BR>###<BR><BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp);
filter(F_auth); destination(D_authlog);
flags(final); };<BR>log { source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_local7);
destination(D_bootlog); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_local1);
destination(D_explan); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_local5);
destination(D_router); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_messages);
destination(D_messages); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_authpriv);
destination(D_secure); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp); filter(F_spooler);
destination(D_spooler); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_kernel);<BR>
source(S_tcp); filter(F_syslog);
destination(D_syslog); flags(final); };<BR>log {
source(S_dgram);<BR>
source(S_internal);<BR>
source(S_tcp);
filter(F_user); destination(D_user); flags(final);
};<BR><BR>log { source(S_dgram);<BR>
source(S_internal);<BR>
source(S_kernel);<BR>
source(S_tcp);
destination(D_hosts); flags(final); };<BR><BR>log { source(S_udp);
filter(F_switch); destination(D_switch); flags(final); };<BR>log {
source(S_udp); filter(F_firewall); destination(D_firewall); flags(final);
};<BR>log { source(S_udp); filter(F_router); destination(D_router);
flags(final); };<BR>log { source(S_udp); filter(F_edge); destination(D_edge);
flags(final); };<BR>log { source(S_udp); filter(F_dc); destination(D_dc);
flags(final); };<BR>log { source(S_udp); filter(F_accesspoints);
destination(D_accesspoints); flags(final); };<BR>log { source(S_udp);
filter(F_proxies); destination(D_proxies); flags(final); };<BR>log {
source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final);
};<BR><BR>log { source(S_udp); destination(D_udp);};<BR><BR><BR><!--[if
!supportLineBreakNewLine]--><BR><!--[endif]--></P></BODY></HTML>