<div dir="ltr"><div><code>Hi<br></code></div><code> Final flags respond with only top-level log paths. You can use embedded log statement to achieve your goal.<br><br> </code><br><br><div><code>log {<br>
<br>
log {<br> </code><code><code>source(s_remote);<br></code>
filter(</code>f_linux_secure<code>);<br>
destination(</code>d_linux_secure<code>);<br>
flags(final);<br>
};<br>
<br> log {<br> </code><code><code> source(s_remote);<br></code> filter(</code>f_linux_messages<code>);<br>
destination(</code>d_linux_messages<code>);<br>
};<br>
};<br><br></code><br><code><code><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-logpaths.html">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-logpaths.html</a><br><br></code></code></div><div><code>Regards<br></code></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 21, 2017 at 7:14 PM, <a href="mailto:wiskbroom@hotmail.com">wiskbroom@hotmail.com</a> <span dir="ltr"><<a href="mailto:wiskbroom@hotmail.com" target="_blank">wiskbroom@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div id="m_7709455863777078415divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Yes, I only want said messages in one of the two files, not both.<br>
</p>
<p><br>
</p>
<div id="m_7709455863777078415Signature">Vadim Anatoly Pushkin </div>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_7709455863777078415divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.<wbr>balabit.hu</a>> on behalf of james.r.hendrick <<a href="mailto:james.r.hendrick@gmail.com" target="_blank">james.r.hendrick@gmail.com</a>><br>
<b>Sent:</b> Friday, April 21, 2017 9:40:20 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Unable to Filter Based On Facility into Different Files</font>
<div> </div>
</div><div><div class="h5">
<div>
<div>flags (final) stops the professing in the first statement </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="m_7709455863777078415composer_signature">
<div style="font-size:85%;color:#575757" dir="auto">Sent from my Verizon, Samsung Galaxy smartphone</div>
</div>
<div><br>
</div>
<div style="font-size:100%;color:#000000">
<div>-------- Original message --------</div>
<div>From: <a href="mailto:wiskbroom@hotmail.com" target="_blank">wiskbroom@hotmail.com</a> </div>
<div>Date: 4/21/17 9:37 AM (GMT-05:00) </div>
<div>To: <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a> </div>
<div>Subject: [syslog-ng] Unable to Filter Based On Facility into Different Files
</div>
<div><br>
</div>
</div>
<div id="m_7709455863777078415divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Greetings!<br>
</p>
<p><br>
</p>
<p>I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins).</p>
<p><br>
</p>
<p>I believe I have two issues with my statements below:</p>
<p>1. My ${HOST}- might be incorrect.</p>
<p>2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*.</p>
<p><br>
</p>
<p>My statements below, comments and criticism very welcome.</p>
<p><br>
</p>
<p>filter f_linux_secure { facility(authpriv) and level(info..emerg); };<br>
filter f_linux_messages { level(info..emerg); };<br>
<br>
<br>
destination d_linux_secure {<br>
file("/data/Linux/${HOST}-<wbr>secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes));<br>
destination d_linux_messages {<br>
file("/data/Linux/${HOST}-<wbr>messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes));<br>
<br>
log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); };<br>
log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); };</p>
<p><br>
</p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<p><br>
</p>
<div id="m_7709455863777078415Signature">Vadim Anatoly Pushkin </div>
</div>
</div>
</div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>