<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Sorry, I should have said I THOUGHT it was working good. It loads
      cleanly, and I have systemd set to forward it's journal to the
      syslog, so syslog-ng is getting plenty of info to log. The problem
      is that it's not listening to my filter. I specifically have two
      filters. One to say only what came in in local7, and the other is
      everything BUT what came in on local7.  Yet when I started
      syslog-ng I get IDENTICAL content to both files. In fact, I did a
      quick test. rm messages dhcpd.log && systemctl restart
      syslog-ng@default. Then I ran a cmp on dhcpd.log and messages, and
      they came back identical. So why is all this stuff being written
      to the wrong files? Here's my syslog-ng.conf file. Perhaps I did
      something wrong?</p>
    <p>options {<br>
              threaded(yes);<br>
              chain_hostnames(no);<br>
              stats_freq(43200);<br>
              mark_freq(3600);<br>
      };<br>
      filter dhcpfilter { facility(local7) };<br>
      filter nondhcp { not filter(dhcpfilter) };<br>
      source src { system(); internal(); };<br>
      destination messages { file("/var/log/messages"); };<br>
      destination dhcplog { file("/var/log/dhcpd.log");  };<br>
      destination console_all { file("/dev/tty12"); };<br>
      log { source(src); destination(messages); filter(nondhcp); };<br>
      log { source(src); destination(console_all); };<br>
      log { source(src); destination(dhcplog); filter(dhcpfilter); };<br>
    </p>
    <p><br>
    </p>
    <p>Notice in the first log line the mention of filter(nondhcp) -
      i.e. messages NOT from dhcpd, and on the 3rd log line there is
      filter(dhcpfilter)  which should be only what comes across on
      local7. So why am I getting systemd messages and syslog-ng
      messages and what not in my dhcpd.log file?<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 12/15/2020 11:14 PM, Dan Egli wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:8050fedb-dd56-f14f-bef7-1711d0010486@newideatest.site">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p>syslog.local7 is a reference mnemonic of mine, sorry. It refers
        to the local7 facility in syslog. And by saying the not should
        be lowercase that fixed everything. I don't know why the
        examples show it in uppercase, but thank you very much!<br>
      </p>
      <div class="moz-cite-prefix">On 12/15/2020 11:09 PM, Balazs
        Scheidler wrote:<br>
      </div>
      <blockquote type="cite"
cite="mid:CAKcfE+ZyKNMe5QzEhEfAm3AB6W63waAMjk92G2Q+LMMAdn62+Q@mail.gmail.com">
        <meta http-equiv="content-type" content="text/html;
          charset=UTF-8">
        <div dir="auto">
          <div><br>
            <br>
            <div class="gmail_quote">
              <div dir="ltr" class="gmail_attr">On Wed, Dec 16, 2020,
                06:04 Dan Egli <a class="moz-txt-link-rfc2396E"
                  href="mailto:dan@newideatest.site"
                  moz-do-not-send="true"><dan@newideatest.site></a>
                wrote:<br>
              </div>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">Help
                me understand this, please?  I have ISC dhcpd configured
                to log to <br>
                syslog.local7 (since I don't see an option to force it
                into it's own log <br>
                file).</blockquote>
            </div>
          </div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Hmm syslog.local7 doesn't seem to be a
            facility.severity pair.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Both syslog and localX are facility codes, so
            either syslog or localX.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Syslog is normally reserved for the syslog
            subsystem, so I wouldn't use that for dhcpd.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Also, logging and filtering based on facility
            codes alone is not really flexible, as facility codes were
            not kept up with changes of the underlying system. There are
            dedicated codes for legacy stuff like "news" which people
            rarely use, but lack newer stuff like kafka or docker.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">So in most cases, I see people use the PROGRAM
            field, or even the IP address of devices to classify log
            messages.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Still, in your use case the current set of
            facility codes could be just fine.</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote>
            </div>
          </div>
          <div dir="auto">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">So I
                went into my syslog-ng file and created two filters,
                just <br>
                like on the example page of <a
                  href="http://syslog-ng.com" rel="noreferrer
                  noreferrer" target="_blank" moz-do-not-send="true">syslog-ng.com</a>:<br>
                <br>
                filter dhcpmsgs { facility(23) );<br>
              </blockquote>
            </div>
          </div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">This would filter on facility code 23, each
            facility is mapped to a numeric code, I can't remember what
            is 23, but you can check rfc3164 for the exact assignment. </div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                filter non_dhcp { NOT filter(dhcpmsgs) );<br>
              </blockquote>
            </div>
          </div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">Negation should be lower case, e.g. "not"</div>
          <div dir="auto">The closing paren should be a closing brace
            (e.g. "}")</div>
          <div dir="auto"><br>
          </div>
          <div dir="auto"><br>
          </div>
          <div dir="auto">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
                I quoted almost directly from the example page on <a
                  href="http://syslog-ng.com" rel="noreferrer
                  noreferrer" target="_blank" moz-do-not-send="true">syslog-ng.com</a>,
                but I <br>
                keep getting this error when I reload syslog-ng's
                config:<br>
                Error parsing filter expression, filter plugin NOT not
                found OR you may <br>
                not used double quotes in your filter expression in <br>
                /etc/syslog-ng/syslog-ng.conf:25:18-25:21:<br>
                <br>
                What did I do wrong? Here's the lines I modified from
                the syslog-ng page:<br>
                filter demo_filter { host("example") and match("deny"
                value("MESSAGE")) };<br>
                filter inverted_demo_filter { NOT filter(demo_filter) }<br>
                <br>
                You can see the page at: <br>
                <a
href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53"
                  rel="noreferrer noreferrer" target="_blank"
                  moz-do-not-send="true">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53</a>
                <br>
                <br>
                <br>
                -- <br>
                Dan Egli<br>
                 From my Test Server<br>
                <br>
______________________________________________________________________________<br>
                Member info: <a
                  href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                  rel="noreferrer noreferrer" target="_blank"
                  moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
                Documentation: <a
                  href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                  rel="noreferrer noreferrer" target="_blank"
                  moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
                FAQ: <a
                  href="http://www.balabit.com/wiki/syslog-ng-faq"
                  rel="noreferrer noreferrer" target="_blank"
                  moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                <br>
              </blockquote>
            </div>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
      </blockquote>
      <pre class="moz-signature" cols="72">-- 
Dan Egli
>From my Test Server</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
Dan Egli
>From my Test Server</pre>
  </body>
</html>