<div dir="auto">Last I've checked samba was logging as "smbd" </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 7, 2021, 08:41 Dan Egli <dan@newideatest.site> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>it's not just ssh. Samba messages are appearing in
/var/log/messages also. I just noticed that. But as to my ssh, the
config file specifically says to use facility auth and level info.
I suppose I could change it to program("sshd") or something, but
since program("samba") is also slipping through, then I'm not sure
that is going to fix anything.<br>
</p>
<div>On 4/7/2021 12:38 AM, Balazs Scheidler
wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>Your ssh messages reads</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span style="font-family:sans-serif">filter
ssh_messages { facility("AUTH") and level("INFO"); };</span></div>
<div dir="auto"><font face="sans-serif"><br>
</font></div>
<div dir="auto"><font face="sans-serif">Are you sure all ssh
related messages are logged at <a href="http://auth.info" target="_blank" rel="noreferrer">auth.info</a>?</font></div>
<div dir="auto"><font face="sans-serif"><br>
</font></div>
<div dir="auto"><font face="sans-serif">Note that unlike syslogd
level(info) will only match "info" exactly and not info and
up. To match a range, you can use level (info..emerg)</font></div>
<div dir="auto"><font face="sans-serif"><br>
</font></div>
<div dir="auto"><font face="sans-serif">Also, why don't you just
match on program name? E.g. program("sshd") or something?</font></div>
<div dir="auto"><font face="sans-serif"><br>
</font></div>
<div dir="auto"><font face="sans-serif">And one last note, once
you deliver a message using flags(final) you won't need to
negate the filter in subsequent log paths. Syslog-ng would
simply stop processing at flags (final).<br>
</font><br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">On Wed, Apr 7, 2021, 08:06
Dan Egli <a href="mailto:dan@newideatest.site" target="_blank" rel="noreferrer"><dan@newideatest.site></a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No joy.
I tried swapping it different ways.<br>
<br>
filter -> source -> destination = combined<br>
source -> filter -> destination = combined<br>
<br>
Here's what my config looks like now, after the second
variant:<br>
<br>
@version: 3.30<br>
<br>
@include "scl.conf"<br>
<br>
options {<br>
threaded(yes);<br>
chain_hostnames(no);<br>
stats_freq(43200);<br>
mark_freq(3600);<br>
};<br>
<br>
source src { system(); internal(); };<br>
<br>
filter samba { program("samba"); };<br>
filter ssh_messages { facility("AUTH") and level("INFO");
};<br>
filter syslog { not filter("ssh_messages") and not
filter("samba"); };<br>
<br>
destination console { file("/dev/tty12"); };<br>
destination messages { file("/var/log/messages"); };<br>
destination sshd_log { file("/var/log/sshd/sshd.log"); };<br>
destination smb_logs { file("/var/log/samba/samba.log");
};<br>
<br>
log { source(src); filter(samba); destination(smb_logs);
flags(final); );<br>
log { source(src); filter(ssh_messages);
destination(sshd_log); <br>
flags(final); };<br>
log { source(src); filter(syslog); destination(console);
};<br>
log { source(src); filter(syslog); destination(messages);
};<br>
<br>
<br>
Still, sshd messages are appearing in /var/log/messages.<br>
<br>
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:<br>
> Hello,<br>
><br>
> The order in the configuration matters.<br>
> log { source(src); destination(console);
filter(syslog); };<br>
> The message flow is the following in your example
source(src) -> destination(console) ->
filter(syslog) -> void<br>
> The filter recieves messages only after destination,
if you switch filter and destination it should be fine.<br>
><br>
> --<br>
> kokan<br>
><br>
> ________________________________________<br>
> From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Dan Egli <a href="mailto:dan@newideatest.site" target="_blank" rel="noreferrer"><dan@newideatest.site></a><br>
> Sent: 07 April 2021 07:17<br>
> To: <a href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer noreferrer" target="_blank">syslog-ng@lists.balabit.hu</a><br>
> Subject: [syslog-ng] Syslog-ng not honoring negative
flag<br>
><br>
> CAUTION: This email originated from outside of the
organization. Do not follow guidance, click links, or open
attachments unless you recognize the sender and know the
content is safe.<br>
><br>
><br>
> I'm having a bit of a problem and hope someone here
can help. I'm trying<br>
> to separate individual items into specific logs, i.e.
ssh events in<br>
> sshd.log, samba messages in samba.log, etc...<br>
><br>
> I managed to come up with filters that pull out the
events I started<br>
> with, and they are going into the correct log files.
But they are ALSO<br>
> going into /var/log/messages even though I
specifically have a filter on<br>
> that one that says not to include samba or sshd
events. I'll copy my<br>
> config file here. Hopefully someone can tell me what
I did wrong.<br>
><br>
> Thanks!<br>
><br>
> ---------------------------------------------<br>
> @version: 3.30<br>
><br>
> @include "scl.conf"<br>
><br>
> options {<br>
> threaded(yes);<br>
> chain_hostnames(no);<br>
> stats_freq(43200);<br>
> mark_freq(3600);<br>
> };<br>
><br>
> source src { system(); internal(); };<br>
><br>
> filter samba { program("samba"); };<br>
> filter ssh_messages { facility("AUTH") and
level("INFO"); };<br>
> filter syslog { not filter("ssh_messages") and not
filter("samba"); };<br>
><br>
> destination console { file("/dev/tty12"); };<br>
> destination messages { file("/var/log/messages"); };<br>
> destination sshd_log {
file("/var/log/sshd/sshd.log"); };<br>
> destination smb_logs {
file("/var/log/samba/samba.log"); };<br>
><br>
> log { source(src); destination(smb_logs);
filter(samba); flags(final); );<br>
> log { source(src); destination(sshd_log);
filter(ssh_messages);<br>
> flags(final); };<br>
> log { source(src); destination(console);
filter(syslog); };<br>
> log { source(src); destination(messages);
filter(syslog); };<br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0</a><br>
> Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0</a><br>
> FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0" rel="noreferrer noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0</a><br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</div>
</blockquote></div>