<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>syslog.local7 is a reference mnemonic of mine, sorry. It refers
to the local7 facility in syslog. And by saying the not should be
lowercase that fixed everything. I don't know why the examples
show it in uppercase, but thank you very much!<br>
</p>
<div class="moz-cite-prefix">On 12/15/2020 11:09 PM, Balazs
Scheidler wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKcfE+ZyKNMe5QzEhEfAm3AB6W63waAMjk92G2Q+LMMAdn62+Q@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 16, 2020,
06:04 Dan Egli <a class="moz-txt-link-rfc2396E" href="mailto:dan@newideatest.site"><dan@newideatest.site></a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Help me
understand this, please? I have ISC dhcpd configured to
log to <br>
syslog.local7 (since I don't see an option to force it
into it's own log <br>
file).</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Hmm syslog.local7 doesn't seem to be a
facility.severity pair.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Both syslog and localX are facility codes, so
either syslog or localX.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Syslog is normally reserved for the syslog
subsystem, so I wouldn't use that for dhcpd.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Also, logging and filtering based on facility
codes alone is not really flexible, as facility codes were not
kept up with changes of the underlying system. There are
dedicated codes for legacy stuff like "news" which people
rarely use, but lack newer stuff like kafka or docker.</div>
<div dir="auto"><br>
</div>
<div dir="auto">So in most cases, I see people use the PROGRAM
field, or even the IP address of devices to classify log
messages.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Still, in your use case the current set of
facility codes could be just fine.</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote>
</div>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">So I
went into my syslog-ng file and created two filters, just
<br>
like on the example page of <a
href="http://syslog-ng.com" rel="noreferrer noreferrer"
target="_blank" moz-do-not-send="true">syslog-ng.com</a>:<br>
<br>
filter dhcpmsgs { facility(23) );<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">This would filter on facility code 23, each
facility is mapped to a numeric code, I can't remember what is
23, but you can check rfc3164 for the exact assignment. </div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
filter non_dhcp { NOT filter(dhcpmsgs) );<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Negation should be lower case, e.g. "not"</div>
<div dir="auto">The closing paren should be a closing brace
(e.g. "}")</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I quoted almost directly from the example page on <a
href="http://syslog-ng.com" rel="noreferrer noreferrer"
target="_blank" moz-do-not-send="true">syslog-ng.com</a>,
but I <br>
keep getting this error when I reload syslog-ng's config:<br>
Error parsing filter expression, filter plugin NOT not
found OR you may <br>
not used double quotes in your filter expression in <br>
/etc/syslog-ng/syslog-ng.conf:25:18-25:21:<br>
<br>
What did I do wrong? Here's the lines I modified from the
syslog-ng page:<br>
filter demo_filter { host("example") and match("deny"
value("MESSAGE")) };<br>
filter inverted_demo_filter { NOT filter(demo_filter) }<br>
<br>
You can see the page at: <br>
<a
href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53</a>
<br>
<br>
<br>
-- <br>
Dan Egli<br>
From my Test Server<br>
<br>
______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Dan Egli
>From my Test Server</pre>
</body>
</html>