<p dir="ltr">Hi,</p>
<p dir="ltr">Any news if these fix the issue for you?</p>
<div class="gmail_quote">On Dec 1, 2013 1:19 PM, "Balazs Scheidler" <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hi,<br>
<br>
A fix and test is available on this branch:<br>
<br>
<a href="https://github.com/balabit/syslog-ng/tree/3.5/f/cfg-tree-final-fix" target="_blank">https://github.com/balabit/syslog-ng/tree/3.5/f/cfg-tree-final-fix</a><br>
<br>
I'd really appreciate any further testing and whether the 3.4/3.5<br>
behaviour is consistent with 3.3.<br>
<br>
Algernon should pick these patches to the stable branches shortly,<br>
here's the pull request for that:<br>
<br>
<a href="https://github.com/balabit/syslog-ng/pull/26" target="_blank">https://github.com/balabit/syslog-ng/pull/26</a><br>
<br>
Thanks for the report.<br>
Bazsi<br>
<br>
<br>
On Wed, 2013-11-27 at 11:22 +0100, Balazs Scheidler wrote:<br>
> hi,<br>
><br>
> thanks, moving this higher on my list.<br>
><br>
> On Mon, 2013-11-25 at 22:36 +0000, Johnson, Chris (HP TippingPoint<br>
> Roseville) wrote:<br>
> > *ping* :)<br>
> ><br>
> > Chris<br>
> ><br>
> > -----Original Message-----<br>
> > From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>] On Behalf Of Balazs Scheidler<br>
> > Sent: Tuesday, November 19, 2013 4:21 AM<br>
> > To: Syslog-ng users' and developers' mailing list<br>
> > Subject: Re: [syslog-ng] syslog-ng 3.5.1 - question about flags(final)...<br>
> ><br>
> > Hi,<br>
> ><br>
> > This seems to be a bug. I'll have to put it aside for now, but I'll try to work on this ASAP. Just Evan also posted some details about a bug of his and I'd like to work on that first.<br>
> ><br>
> > If you don't hear from me in 2 days, feel free to ping me.<br>
> ><br>
> > Cheers,<br>
> > Bazsi<br>
> ><br>
> ><br>
> > On Mon, 2013-11-18 at 22:02 +0000, Johnson, Chris (HP TippingPoint<br>
> > Roseville) wrote:<br>
> > > Hello all,<br>
> > ><br>
> > ><br>
> > ><br>
> > > I'm in the process of upgrading from version 3.3.9 to 3.5.1 and have a<br>
> > > question about how the 'flags(final);' is working in 3.5.1.<br>
> > ><br>
> > ><br>
> > ><br>
> > > In 3.3.9, I use the following structure of imbedded log statements:<br>
> > ><br>
> > > ######################################################################<br>
> > > ##########<br>
> > ><br>
> > > # Service ipsec<br>
> > ><br>
> > > #<br>
> > ><br>
> > > filter f_ipsec_pgm{program("IPSEC-*" type("glob"))<br>
> > ><br>
> > > or program("IKE-*" type("glob"))<br>
> > ><br>
> > > or program("CHARON-*" type("glob"))<br>
> > ><br>
> > > or program("charon-*" type("glob"));<br>
> > ><br>
> > > };<br>
> > ><br>
> > > filter f_ipsec_lvl_01{level(warning..emerg)};<br>
> > ><br>
> > > filter f_ipsec_lvl_02{level(info..emerg)};<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > source(s_local);<br>
> > ><br>
> > > filter(f_ipsec_pgm);<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > filter(f_ipsec_lvl_01);<br>
> > ><br>
> > > destination(d_logID_11);<br>
> > ><br>
> > > };<br>
> > ><br>
> > > log {<br>
> > ><br>
> > > filter(f_ipsec_lvl_02);<br>
> > ><br>
> > > rewrite(r_quote_newlines);<br>
> > ><br>
> > > destination(d_logID_13);<br>
> > ><br>
> > > };<br>
> > ><br>
> > > flags(final);<br>
> > ><br>
> > > };<br>
> > ><br>
> > ><br>
> > ><br>
> > > In this case log messages of the 'correct' program would further be<br>
> > > filtered on their severity level.<br>
> > ><br>
> > > · Info level messages would only be sent to 'd_logID_13'<br>
> > ><br>
> > > · Warning level messages (and above) would be sent to BOTH<br>
> > > 'd_logID_11' and 'd_logID_13'.<br>
> > ><br>
> > > · Debug level messages would be discarded.<br>
> > ><br>
> > > Under 3.5.1, the 'filtering ' stops after it matches once:<br>
> > ><br>
> > > · Warning messages (and above) are only sent to 'd_logID_11'<br>
> > > and NOT 'd_logID_13'.<br>
> > ><br>
> > > · Info messages are still (correctly) being sent only to<br>
> > > 'd_logID_13'.<br>
> > ><br>
> > > If I remove (or comment out) the 'flags(final);' statement, messages<br>
> > > are filtered correctly (i.e. the way I *want* them to be filtered J)<br>
> > ><br>
> > > except that they also are being processed by all the following log<br>
> > > statements and are being caught in my final filter of 'program("*"<br>
> > > type("glob"))'.<br>
> > ><br>
> > > NOTE: yes, I know that I could use 'flags(fallback)' in my final<br>
> > > filter, but that would still have every message processed by every log<br>
> > > filter, and I would like to avoid that.<br>
> > ><br>
> > ><br>
> > ><br>
> > > So, what would be the correct way to set up my log statement to<br>
> > > re-create the 3.3 behavior?<br>
> ><br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>