<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Okay, now I'm starting to get where I want. Only dhcpd messages
are going to dhcpd.log, which is great. BUT they are also going to
/var/log/messages, despite my attempts to block that. I have dhcpd
set to log to the local7 facility, and I have StandardOut and
StandardError set to null in my systemd service. So why is it all
going to BOTH places? What do I need to do in order to ensure that
logging info for dhcpd goes ONLY to dhcpd.log and not to messages
as well?<br>
</p>
<div class="moz-cite-prefix">On 12/16/2020 4:19 AM, Balazs Scheidler
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKcfE+YKo+Z34+xMoqyyX2ovARg2qeFQtnCJ0KWb4s40Q8p3Aw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">The elements in the log destination are processed
in order. So you have to insert the filter reference between the
source and the destination, and not after the destination.
<div dir="auto"><br>
</div>
<div dir="auto">This is to allow you to list multiple
destinations, potentially applying different filters/parsers
and other processing elements.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 16, 2020, 07:58
Dan Egli <a class="moz-txt-link-rfc2396E" href="mailto:dan@newideatest.site"><dan@newideatest.site></a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Sorry, I should have said I THOUGHT it was working good.
It loads cleanly, and I have systemd set to forward it's
journal to the syslog, so syslog-ng is getting plenty of
info to log. The problem is that it's not listening to my
filter. I specifically have two filters. One to say only
what came in in local7, and the other is everything BUT
what came in on local7. Yet when I started syslog-ng I
get IDENTICAL content to both files. In fact, I did a
quick test. rm messages dhcpd.log && systemctl
restart syslog-ng@default. Then I ran a cmp on dhcpd.log
and messages, and they came back identical. So why is all
this stuff being written to the wrong files? Here's my
syslog-ng.conf file. Perhaps I did something wrong?</p>
<p>options {<br>
threaded(yes);<br>
chain_hostnames(no);<br>
stats_freq(43200);<br>
mark_freq(3600);<br>
};<br>
filter dhcpfilter { facility(local7) };<br>
filter nondhcp { not filter(dhcpfilter) };<br>
source src { system(); internal(); };<br>
destination messages { file("/var/log/messages"); };<br>
destination dhcplog { file("/var/log/dhcpd.log"); };<br>
destination console_all { file("/dev/tty12"); };<br>
log { source(src); destination(messages); filter(nondhcp);
};<br>
log { source(src); destination(console_all); };<br>
log { source(src); destination(dhcplog);
filter(dhcpfilter); };<br>
</p>
<p><br>
</p>
<p>Notice in the first log line the mention of
filter(nondhcp) - i.e. messages NOT from dhcpd, and on the
3rd log line there is filter(dhcpfilter) which should be
only what comes across on local7. So why am I getting
systemd messages and syslog-ng messages and what not in my
dhcpd.log file?<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 12/15/2020 11:14 PM, Dan Egli wrote:<br>
</div>
<blockquote type="cite">
<p>syslog.local7 is a reference mnemonic of mine, sorry.
It refers to the local7 facility in syslog. And by
saying the not should be lowercase that fixed
everything. I don't know why the examples show it in
uppercase, but thank you very much!<br>
</p>
<div>On 12/15/2020 11:09 PM, Balazs Scheidler wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 16,
2020, 06:04 Dan Egli <a
href="mailto:dan@newideatest.site"
target="_blank" rel="noreferrer"
moz-do-not-send="true"><dan@newideatest.site></a>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Help me understand this,
please? I have ISC dhcpd configured to log to <br>
syslog.local7 (since I don't see an option to
force it into it's own log <br>
file).</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Hmm syslog.local7 doesn't seem to be a
facility.severity pair.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Both syslog and localX are facility
codes, so either syslog or localX.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Syslog is normally reserved for the
syslog subsystem, so I wouldn't use that for dhcpd.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Also, logging and filtering based on
facility codes alone is not really flexible, as
facility codes were not kept up with changes of the
underlying system. There are dedicated codes for
legacy stuff like "news" which people rarely use,
but lack newer stuff like kafka or docker.</div>
<div dir="auto"><br>
</div>
<div dir="auto">So in most cases, I see people use the
PROGRAM field, or even the IP address of devices to
classify log messages.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Still, in your use case the current
set of facility codes could be just fine.</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> </blockquote>
</div>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">So I went into my
syslog-ng file and created two filters, just <br>
like on the example page of <a
href="http://syslog-ng.com" rel="noreferrer
noreferrer noreferrer" target="_blank"
moz-do-not-send="true">syslog-ng.com</a>:<br>
<br>
filter dhcpmsgs { facility(23) );<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">This would filter on facility code 23,
each facility is mapped to a numeric code, I can't
remember what is 23, but you can check rfc3164 for
the exact assignment. </div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> filter non_dhcp { NOT
filter(dhcpmsgs) );<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Negation should be lower case, e.g.
"not"</div>
<div dir="auto">The closing paren should be a closing
brace (e.g. "}")</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
I quoted almost directly from the example page
on <a href="http://syslog-ng.com"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">syslog-ng.com</a>,
but I <br>
keep getting this error when I reload
syslog-ng's config:<br>
Error parsing filter expression, filter plugin
NOT not found OR you may <br>
not used double quotes in your filter expression
in <br>
/etc/syslog-ng/syslog-ng.conf:25:18-25:21:<br>
<br>
What did I do wrong? Here's the lines I modified
from the syslog-ng page:<br>
filter demo_filter { host("example") and
match("deny" value("MESSAGE")) };<br>
filter inverted_demo_filter { NOT
filter(demo_filter) }<br>
<br>
You can see the page at: <br>
<a
href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53</a>
<br>
<br>
<br>
-- <br>
Dan Egli<br>
From my Test Server<br>
<br>
______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<pre cols="72">--
Dan Egli
>From my Test Server</pre>
<br>
<fieldset></fieldset>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<pre cols="72">--
Dan Egli
>From my Test Server</pre>
</div>
______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Dan Egli
>From my Test Server</pre>
</body>
</html>