<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bazsi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yes, it 'fixed' the issue with 'flags(final);' and embedded logs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Chris<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<b>On Behalf Of </b>Balazs Scheidler<br>
<b>Sent:</b> Tuesday, December 10, 2013 11:59 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] syslog-ng 3.5.1 - question about flags(final)...<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi,<o:p></o:p></p>
<p>Any news if these fix the issue for you?<o:p></o:p></p>
<div>
<p class="MsoNormal">On Dec 1, 2013 1:19 PM, "Balazs Scheidler" <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Hi,<br>
<br>
A fix and test is available on this branch:<br>
<br>
<a href="https://github.com/balabit/syslog-ng/tree/3.5/f/cfg-tree-final-fix" target="_blank">https://github.com/balabit/syslog-ng/tree/3.5/f/cfg-tree-final-fix</a><br>
<br>
I'd really appreciate any further testing and whether the 3.4/3.5<br>
behaviour is consistent with 3.3.<br>
<br>
Algernon should pick these patches to the stable branches shortly,<br>
here's the pull request for that:<br>
<br>
<a href="https://github.com/balabit/syslog-ng/pull/26" target="_blank">https://github.com/balabit/syslog-ng/pull/26</a><br>
<br>
Thanks for the report.<br>
Bazsi<br>
<br>
<br>
On Wed, 2013-11-27 at 11:22 +0100, Balazs Scheidler wrote:<br>
> hi,<br>
><br>
> thanks, moving this higher on my list.<br>
><br>
> On Mon, 2013-11-25 at 22:36 +0000, Johnson, Chris (HP TippingPoint<br>
> Roseville) wrote:<br>
> > *ping* :)<br>
> ><br>
> > Chris<br>
> ><br>
> > -----Original Message-----<br>
> > From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>] On Behalf Of Balazs Scheidler<br>
> > Sent: Tuesday, November 19, 2013 4:21 AM<br>
> > To: Syslog-ng users' and developers' mailing list<br>
> > Subject: Re: [syslog-ng] syslog-ng 3.5.1 - question about flags(final)...<br>
> ><br>
> > Hi,<br>
> ><br>
> > This seems to be a bug. I'll have to put it aside for now, but I'll try to work on this ASAP. Just Evan also posted some details about a bug of his and I'd like to work on that first.<br>
> ><br>
> > If you don't hear from me in 2 days, feel free to ping me.<br>
> ><br>
> > Cheers,<br>
> > Bazsi<br>
> ><br>
> ><br>
> > On Mon, 2013-11-18 at 22:02 +0000, Johnson, Chris (HP TippingPoint<br>
> > Roseville) wrote:<br>
> > > Hello all,<br>
> > ><br>
> > ><br>
> > ><br>
> > > I'm in the process of upgrading from version 3.3.9 to 3.5.1 and have a<br>
> > > question about how the 'flags(final);' is working in 3.5.1.<br>
> > ><br>
> > ><br>
> > ><br>
> > > In 3.3.9, I use the following structure of imbedded log statements:<br>
> > ><br>
> > > ######################################################################<br>
> > > ##########<br>
> > ><br>
> > > # Service ipsec<br>
> > ><br>
> > > #<br>
> > ><br>
> > > filter f_ipsec_pgm{program("IPSEC-*" type("glob"))<br>
> > ><br>
> > > or program("IKE-*" type("glob"))<br>
> > ><br>
> > > or program("CHARON-*" type("glob"))<br>
> > ><br>
> > > or program("charon-*" type("glob"));<br>
> > ><br>
> > > };<br>
> > ><br>
> > > filter f_ipsec_lvl_01{level(warning..emerg)};<br>
> > ><br>
> > > filter f_ipsec_lvl_02{level(info..emerg)};<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > source(s_local);<br>
> > ><br>
> > > filter(f_ipsec_pgm);<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > filter(f_ipsec_lvl_01);<br>
> > ><br>
> > > destination(d_logID_11);<br>
> > ><br>
> > > };<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > filter(f_ipsec_lvl_02);<br>
> > ><br>
> > > rewrite(r_quote_newlines);<br>
> > ><br>
> > > destination(d_logID_13);<br>
> > ><br>
> > > };<br>
> > ><br>
> > > flags(final);<br>
> > ><br>
> > > };<br>
> > ><br>
> > ><br>
> > ><br>
> > > In this case log messages of the 'correct' program would further be<br>
> > > filtered on their severity level.<br>
> > ><br>
> > > · Info level messages would only be sent to 'd_logID_13'<br>
> > ><br>
> > > · Warning level messages (and above) would be sent to BOTH<br>
> > > 'd_logID_11' and 'd_logID_13'.<br>
> > ><br>
> > > · Debug level messages would be discarded.<br>
> > ><br>
> > > Under 3.5.1, the 'filtering ' stops after it matches once:<br>
> > ><br>
> > > · Warning messages (and above) are only sent to 'd_logID_11'<br>
> > > and NOT 'd_logID_13'.<br>
> > ><br>
> > > · Info messages are still (correctly) being sent only to<br>
> > > 'd_logID_13'.<br>
> > ><br>
> > > If I remove (or comment out) the 'flags(final);' statement, messages<br>
> > > are filtered correctly (i.e. the way I *want* them to be filtered J)<br>
> > ><br>
> > > except that they also are being processed by all the following log<br>
> > > statements and are being caught in my final filter of 'program("*"<br>
> > > type("glob"))'.<br>
> > ><br>
> > > NOTE: yes, I know that I could use 'flags(fallback)' in my final<br>
> > > filter, but that would still have every message processed by every log<br>
> > > filter, and I would like to avoid that.<br>
> > ><br>
> > ><br>
> > ><br>
> > > So, what would be the correct way to set up my log statement to<br>
> > > re-create the 3.3 behavior?<br>
> ><br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><o:p></o:p></p>
</div>
</div>
</body>
</html>