Thanks for the reply!<div><br></div><div>I started it in Foreground and sent only one log from my mac.. this is the result. And at the bottom i pasted my conf which is very basic and short as i am testing this.</div><div><br>
</div><div><div>Incoming log entry; line='<190>Nov 20 12:22:20 Gandalf brahama[90151]: test mymac\x0a'</div><div>Filter rule evaluation begins; rule='f_casper', location='/usr/local/etc/syslog-ng.conf:58:18'</div>
<div>Filter node evaluation result; result='not-match'</div><div>Filter rule evaluation result; result='not-match', rule='f_casper', location='/usr/local/etc/syslog-ng.conf:58:18'</div><div>
Filter rule evaluation begins; rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18'</div><div>Filter node evaluation result; result='match'</div><div>Filter rule evaluation result; result='match', rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18'</div>
<div>Initializing destination file writer; template='/var/log/mymac', filename='/var/log/mymac'</div><div>Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages'</div>
</div><div><br></div><div><div>Incoming log entry; line='<142>Nov 20 12:44:49 Gandalf brahama[90207]: test mymac\x0a'</div><div>Filter rule evaluation begins; rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18'</div>
<div>Filter node evaluation result; result='match'</div><div>Filter rule evaluation result; result='match', rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18'</div></div><div><br>
</div><div><div>syslog-ng shutting down; version='3.4.0alpha3'</div><div>Closing log transport fd; fd='7'</div><div>Closing log transport fd; fd='20'</div><div>Closing log transport fd; fd='21'</div>
<div>Running application hooks; hook='4'</div></div><div><br></div><div><br></div><div>------------</div><div><br></div><div>And this is my configuration. the entire file</div><div><br></div><div><div>@version: 3.4</div>
<div>@include "scl.conf"</div><div><br></div><div><br></div><div>options {</div><div><span class="" style="white-space:pre"> </span>keep_hostname(yes);</div><div><span class="" style="white-space:pre"> </span>normalize_hostnames(yes);</div>
<div><span class="" style="white-space:pre"> </span>threaded(yes);</div><div><span class="" style="white-space:pre"> </span>ts_format(iso);</div><div><span class="" style="white-space:pre"> </span>use_fqdn(yes);</div><div>
<span class="" style="white-space:pre"> </span></div><div>};</div><div><br></div><div><br></div><div><br></div><div>source s_local {</div><div><span class="" style="white-space:pre"> </span>system();</div><div><span class="" style="white-space:pre"> </span>internal();</div>
<div>};</div><div><br></div><div>source s_network {</div><div><span class="" style="white-space:pre"> </span>udp(so_rcvbuf(1048576));</div><div>};</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br>
</div><div>destination d_my_mac {</div><div><span class="" style="white-space:pre"> </span>file("/var/log/mymac");</div><div>};</div><div><br></div><div>destination d_casper {</div><div><span class="" style="white-space:pre"> </span>file("/var/log/$HOST");</div>
<div>};</div><div><br></div><div><br></div><div><br></div><div>filter f_my_mac {</div><div><span class="" style="white-space:pre"> </span>netmask(<a href="http://10.24.18.0/255.255.255.0">10.24.18.0/255.255.255.0</a>);</div>
<div>};</div><div><br></div><div>filter f_casper {</div><div><span class="" style="white-space:pre"> </span>netmask(<a href="http://10.24.150.192/255.255.255.255">10.24.150.192/255.255.255.255</a>);</div><div>};</div><div>
<br></div><div><br></div><div>log {</div><div><span class="" style="white-space:pre"> </span>source(s_network);</div><div><span class="" style="white-space:pre"> </span>filter(f_my_mac);</div><div><span class="" style="white-space:pre"> </span>destination(d_my_mac);</div>
<div><span class="" style="white-space:pre"> </span>flags(final);</div><div>};</div><div><br></div><div>destination d_local {</div><div><span class="" style="white-space:pre"> </span>file("/var/log/messages");</div>
<div>};</div><div>log {</div><div><span class="" style="white-space:pre"> </span>source(s_network);</div><div><span class="" style="white-space:pre"> </span>destination(d_local);</div><div>};</div></div><div><br></div><div>
-------------------------------------------------</div><div><br></div><div>Still seeing the log on both files messages and mymac :S</div><div><br></div><div>Thanks!</div><div class="gmail_extra"><br><br><div class="gmail_quote">
2012/11/20 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div>
<p>hi,
<br>
<br>if you reference a source from two log statements both will get a copy of the same message. in the 2nd statement you request to send messages to d_local without filtering. that includes your ip too.
<br>
<br>ahh, i see you are using flags(final), that should do the trick if the message is received on the same source (e.g. s_network). are you sure this is the case?
<br>
<br>also, you can start syslog-ng in the foreground, enabling debug messages which should help you to narrow the problem further down.
<br>
<br># syslog-ng -Fedv
<br></p><div><div class="h5">
<br>
<br>----- Original message -----
<br>> Hi guys,
<br>>
<br>> Just new, and created the following conf for testing purposes. The
<br>> problem is that i get the logs in both destinations despite the filter.
<br>>
<br>> @version: 3.4
<br>> @include "scl.conf"
<br>>
<br>> options {
<br>> keep_hostname(yes);
<br>> normalize_hostnames(yes);
<br>> threaded(yes);
<br>> ts_format(iso); # Adds TZ
<br>> #use_fqdn(yes);
<br>> use_dns(no);
<br>> };
<br>>
<br>> source s_local {
<br>> system();
<br>> internal();
<br>> };
<br>>
<br>> source s_network {
<br>> udp();
<br>> };
<br>>
<br>> destination d_local {
<br>> file("/var/log/messages");
<br>> };
<br>>
<br>> destination d_my_mac {
<br>> file("/var/log/mymac");
<br>> };
<br>>
<br>> filter f_my_mac {
<br>> netmask(<a href="http://10.24.18.2/255.255.255.255" target="_blank">10.24.18.2/255.255.255.255</a>);
<br>> };
<br>>
<br>> log {
<br>> source(s_network);
<br>> filter(f_my_mac);
<br>> destination(d_my_mac);
<br>> flags(final);
<br>> };
<br>>
<br>> log {
<br>> source(s_local);
<br>> # uncomment this line to open port 514 to receive messages
<br>> source(s_network);
<br>> #destination(d_central_udp);
<br>> destination(d_local);
<br>> };
<br>>
<br>>
<br>> as netmask i also tried cidr /24 and same thing. The problem is that i
<br>> get the logs in both destinations. I only want to have them in my_mac
<br>>
<br>> Thanks!
<br><br></div></div><p></p>
</div>
</blockquote></div><br></div>