<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Looks like there's a bug in the lastest version of Thunderbird or
      something, because I see three messages that are incomplete copies
      of what I am about to send. I will look further into that while I
      wait for more advice from you guys.<br>
    </p>
    <div class="moz-cite-prefix">On 4/7/2021 7:19 PM, Dan Egli wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:0be95133-9079-cf34-60a9-defe35fc8326@newideatest.site">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p>Those are the only ones I'm seeing in either log. Let me test
        it a bit, see if startup/shutdown messages occur too.</p>
      <p>Not only that, I am seeing samba messages in the sshd log, and
        I should not. When I do lsof, it seems the samba daemon is
        writing it's own logs, so it's not surprising that there's no
        errors in that log. But why am I seeing samba messages in
        sshd.log, and why am I seeing samba and sshd in
        /var/log/messages.</p>
      <p>And if what you say about the security/auth is correct, then
        something else is screwy here because I ONLY have auth/info
        listed. NOT authpriv. Frankly, i'd say that it sounds like I
        need to just change to program("sshd") but I'm not sure if that
        will fix anything. I'll do that, just to see. <br>
      </p>
      <div class="moz-cite-prefix">On 4/7/2021 12:48 PM, SZALAY Attila
        wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:57ca4e46e3ad55227fbfdcf7fc804a057a30fbc6.camel@ubainba.hu">
        <meta http-equiv="content-type" content="text/html;
          charset=UTF-8">
        <div>Hi Dan,</div>
        <div><br>
        </div>
        <div>The next important question is that do you see all sshd log
          messages in /var/log/messages or just some of them. I see two
          kind of sshd related log message:</div>
        <div><br>
        </div>
        <div>[2021-04-07T12:29:43.875056] Incoming log entry;
          line='<38>Apr 7 12:29:43 sshd[30745]: Accepted
          keyboard-interactive/pam for dan from XXXX port 40747 ssh2'</div>
        <div>[2021-04-07T12:29:43.878136] Incoming log entry;
          line='<86>Apr 7 12:29:43 sshd[30745]:
          pam_unix(sshd:session): session opened for user dan(uid=1001)
          by (uid=0)'</div>
        <div><br>
        </div>
        <div>As the two has different values in <>, at least one
          of them is differ from auth/info.</div>
        <div><br>
        </div>
        <div>By the way <38> is security(4)/info and <86> is
          security(10)/info. So both are security/auth message in some
          way but still different facilities (4 and 6) which is called
          as auth(4) and authpriv(10) within syslog-ng.</div>
        <div><br>
        </div>
        <div>On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:</div>
        <blockquote type="cite" style="margin:0 0 0 .8ex;
          border-left:2px #729fcf solid;padding-left:1ex">
          <div> Okay. I captured a couple of minutes worth of syslog-ng
            running. It's too big to post (1.5MB) so I put it up on my
            web server. You can see it at: <a
              class="moz-txt-link-freetext"
              href="https://www.newideatest.site/syslog-out"
              moz-do-not-send="true">https://www.newideatest.site/syslog-out</a><br>
          </div>
          <div class="moz-cite-prefix">On 4/7/2021 12:07 PM, SZIGETVÁRI
            János wrote:<br>
          </div>
          <div>
            <meta http-equiv="content-type" content="text/html;
              charset=UTF-8">
          </div>
          <div dir="ltr">
            <div>Hello Dan,</div>
            <div><br>
            </div>
            <div>I believe that Bazsi (Balázs) wasn't really looking for
              the startup messages about the config being parsed, but
              instead about the debug/trace output of the log processing
              pipeline.</div>
            <div>There he would be able to check which filters were run
              against a certain message (its actual content too), and
              what result those filters returned.</div>
            <div>I think that's what he's primarily after.</div>
            <div><br>
            </div>
            <div>Best Regards,</div>
            <div>János</div>
            <div>
              <div>
                <div dir="ltr" class="gmail_signature"
                  data-smartmail="gmail_signature">
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div>
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr">--</div>
                                                      <div dir="ltr">Janos
                                                        SZIGETVARI<br>
                                                        <span>RHCE,
                                                          License no. <a
href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692"
                                                          target="_blank"
moz-do-not-send="true">150-053-692</a></span><br>
                                                      </div>
                                                      <div dir="ltr"><span><br>
                                                        </span></div>
                                                      <div dir="ltr"><span>LinkedIn:
                                                          <a
                                                          href="http://linkedin.com/in/janosszigetvari"
target="_blank" moz-do-not-send="true">linkedin.com/in/janosszigetvari</a></span></div>
                                                      <div dir="ltr">Web:
                                                        <a
                                                          href="https://janos.szigetvari.com"
target="_blank" moz-do-not-send="true">janos.szigetvari.com</a><br>
                                                        <br>
                                                        __@__˚V˚<br>
                                                        Make the switch
                                                        to open (source)
                                                        applications,
                                                        protocols,
                                                        formats now:<br>
                                                        - windows ->
                                                        Linux, iexplore
                                                        -> Firefox,
                                                        msoffice ->
                                                        LibreOffice<br>
                                                        - msn ->
                                                        jabber protocol
                                                        (Pidgin, Google
                                                        Talk)<br>
                                                        - mp3 -> ogg,
                                                        wmv -> ogg,
                                                        jpg -> png,
                                                        doc/xls/ppt
                                                        ->
                                                        odt/ods/odp</div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
              <br>
            </div>
          </div>
          <div> <br>
          </div>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">Dan Egli <a
                class="moz-txt-link-rfc2396E"
                href="mailto:dan@newideatest.site"
                moz-do-not-send="true"><dan@newideatest.site></a>
              ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):<br>
            </div>
            <br>
            <blockquote type="cite" style="margin:0 0 0 .8ex;
              border-left:2px #729fcf solid;padding-left:1ex">
              <div>
                <p>Syslog-ng is NOT complaining about my config at all.
                  I've included the output from the -Fedv below. Other
                  than what I would call "routine" errors in the scl
                  section, no complaints.</p>
                <p>---------------------------------<br>
                  [2021-04-07T11:52:21.151347] Processing @include
                  statement; filename='scl.conf',
                  include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'<br>
                  [2021-04-07T11:52:21.151420] Starting to read include
                  file; filename='/etc/syslog-ng/scl.conf', depth='1'<br>
                  [2021-04-07T11:52:21.151596] Module loaded and
                  initialized successfully; module='appmodel'<br>
                  [2021-04-07T11:52:21.151612] Processing @include
                  statement; filename='scl/*/*.conf',
                  include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'<br>
                  [2021-04-07T11:52:21.151782] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151787] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151790] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151792] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151794] Adding include file;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151797] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151799] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151802] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151804] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151807] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151809] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151811] Adding include file;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151814] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151816] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151819] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151821] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151824] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151826] Adding include file;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151906] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151912] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151915] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151917] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151920] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151922] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151925] Adding include file;
                  filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151933] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.151993] Reading path for
                  candidate modules; path='/usr/lib64/syslog-ng'<br>
                  [2021-04-07T11:52:21.152064] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libxml.so', module='xml'<br>
                  [2021-04-07T11:52:21.152174] Registering candidate
                  plugin; module='xml', context='parser', name='xml'<br>
                  [2021-04-07T11:52:21.152200] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libtags-parser.so', module='tags-parser'<br>
                  [2021-04-07T11:52:21.152263] Registering candidate
                  plugin; module='tags-parser', context='parser',
                  name='tags-parser'<br>
                  [2021-04-07T11:52:21.152277] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libsystem-source.so', module='system-source'<br>
                  [2021-04-07T11:52:21.152336] Registering candidate
                  plugin; module='system-source', context='source',
                  name='system'<br>
                  [2021-04-07T11:52:21.152349] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libsyslogformat.so', module='syslogformat'<br>
                  [2021-04-07T11:52:21.152414] Registering candidate
                  plugin; module='syslogformat', context='format',
                  name='syslog'<br>
                  [2021-04-07T11:52:21.152417] Registering candidate
                  plugin; module='syslogformat', context='parser',
                  name='syslog-parser'<br>
                  [2021-04-07T11:52:21.152428] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libstardate.so', module='stardate'<br>
                  [2021-04-07T11:52:21.152619] Registering candidate
                  plugin; module='stardate', context='template-func',
                  name='stardate'<br>
                  [2021-04-07T11:52:21.152661] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libsecure-logging.so', module='secure-logging'<br>
                  [2021-04-07T11:52:21.152746] Registering candidate
                  plugin; module='secure-logging',
                  context='template-func', name='slog'<br>
                  [2021-04-07T11:52:21.152760] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libpseudofile.so', module='pseudofile'<br>
                  [2021-04-07T11:52:21.152832] Registering candidate
                  plugin; module='pseudofile', context='destination',
                  name='pseudofile'<br>
                  [2021-04-07T11:52:21.152904] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libmap-value-pairs.so',
                  module='map-value-pairs'<br>
                  [2021-04-07T11:52:21.152989] Registering candidate
                  plugin; module='map-value-pairs', context='parser',
                  name='map_value_pairs'<br>
                  [2021-04-07T11:52:21.153005] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='liblinux-kmsg-format.so',
                  module='linux-kmsg-format'<br>
                  [2021-04-07T11:52:21.153170] Registering candidate
                  plugin; module='linux-kmsg-format', context='format',
                  name='linux-kmsg'<br>
                  [2021-04-07T11:52:21.153191] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libkvformat.so', module='kvformat'<br>
                  [2021-04-07T11:52:21.153261] Registering candidate
                  plugin; module='kvformat', context='parser',
                  name='kv-parser'<br>
                  [2021-04-07T11:52:21.153265] Registering candidate
                  plugin; module='kvformat', context='parser',
                  name='linux-audit-parser'<br>
                  [2021-04-07T11:52:21.153268] Registering candidate
                  plugin; module='kvformat', context='template-func',
                  name='format-welf'<br>
                  [2021-04-07T11:52:21.153279] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libhook-commands.so', module='hook-commands'<br>
                  [2021-04-07T11:52:21.153339] Registering candidate
                  plugin; module='hook-commands', context='inner-dest',
                  name='hook-commands'<br>
                  [2021-04-07T11:52:21.153343] Registering candidate
                  plugin; module='hook-commands', context='inner-src',
                  name='hook-commands'<br>
                  [2021-04-07T11:52:21.153355] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libgraphite.so', module='graphite'<br>
                  [2021-04-07T11:52:21.153408] Registering candidate
                  plugin; module='graphite', context='template-func',
                  name='graphite_output'<br>
                  [2021-04-07T11:52:21.153418] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libtfgetent.so', module='tfgetent'<br>
                  [2021-04-07T11:52:21.153468] Registering candidate
                  plugin; module='tfgetent', context='template-func',
                  name='getent'<br>
                  [2021-04-07T11:52:21.153479] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libexamples.so', module='examples'<br>
                  [2021-04-07T11:52:21.153646] Registering candidate
                  plugin; module='examples', context='source',
                  name='example_msg_generator'<br>
                  [2021-04-07T11:52:21.153654] Registering candidate
                  plugin; module='examples', context='source',
                  name='example_random_generator'<br>
                  [2021-04-07T11:52:21.153660] Registering candidate
                  plugin; module='examples', context='source',
                  name='example_diskq_source'<br>
                  [2021-04-07T11:52:21.153670] Registering candidate
                  plugin; module='examples', context='inner-dest',
                  name='http_test_slots'<br>
                  [2021-04-07T11:52:21.153677] Registering candidate
                  plugin; module='examples', context='destination',
                  name='example_destination'<br>
                  [2021-04-07T11:52:21.153722] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libdisk-buffer.so', module='disk-buffer'<br>
                  [2021-04-07T11:52:21.153825] Registering candidate
                  plugin; module='disk-buffer', context='inner-dest',
                  name='disk_buffer'<br>
                  [2021-04-07T11:52:21.153846] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libdbparser.so', module='dbparser'<br>
                  [2021-04-07T11:52:21.154065] Registering candidate
                  plugin; module='dbparser', context='parser',
                  name='db-parser'<br>
                  [2021-04-07T11:52:21.154076] Registering candidate
                  plugin; module='dbparser', context='parser',
                  name='grouping-by'<br>
                  [2021-04-07T11:52:21.154100] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libtimestamp.so', module='timestamp'<br>
                  [2021-04-07T11:52:21.154260] Registering candidate
                  plugin; module='timestamp', context='parser',
                  name='date-parser'<br>
                  [2021-04-07T11:52:21.154267] Registering candidate
                  plugin; module='timestamp', context='rewrite',
                  name='fix-time-zone'<br>
                  [2021-04-07T11:52:21.154270] Registering candidate
                  plugin; module='timestamp', context='rewrite',
                  name='set-time-zone'<br>
                  [2021-04-07T11:52:21.154279] Registering candidate
                  plugin; module='timestamp', context='rewrite',
                  name='guess-time-zone'<br>
                  [2021-04-07T11:52:21.154296] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libcsvparser.so', module='csvparser'<br>
                  [2021-04-07T11:52:21.154366] Registering candidate
                  plugin; module='csvparser', context='parser',
                  name='csv-parser'<br>
                  [2021-04-07T11:52:21.154381] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libcryptofuncs.so', module='cryptofuncs'<br>
                  [2021-04-07T11:52:21.154452] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='uuid'<br>
                  [2021-04-07T11:52:21.154459] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='hash'<br>
                  [2021-04-07T11:52:21.154657] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='sha1'<br>
                  [2021-04-07T11:52:21.154662] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='sha256'<br>
                  [2021-04-07T11:52:21.154665] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='sha512'<br>
                  [2021-04-07T11:52:21.154667] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='md4'<br>
                  [2021-04-07T11:52:21.154673] Registering candidate
                  plugin; module='cryptofuncs', context='template-func',
                  name='md5'<br>
                  [2021-04-07T11:52:21.154689] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libconfgen.so', module='confgen'<br>
                  [2021-04-07T11:52:21.154788] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libcef.so', module='cef'<br>
                  [2021-04-07T11:52:21.154912] Registering candidate
                  plugin; module='cef', context='template-func',
                  name='format-cef-extension'<br>
                  [2021-04-07T11:52:21.154935] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libbasicfuncs.so', module='basicfuncs'<br>
                  [2021-04-07T11:52:21.155134] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='grep'<br>
                  [2021-04-07T11:52:21.155142] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='if'<br>
                  [2021-04-07T11:52:21.155145] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='or'<br>
                  [2021-04-07T11:52:21.155148] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='context-lookup'<br>
                  [2021-04-07T11:52:21.155150] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='context-length'<br>
                  [2021-04-07T11:52:21.155156] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='context-values'<br>
                  [2021-04-07T11:52:21.155158] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='echo'<br>
                  [2021-04-07T11:52:21.155165] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='length'<br>
                  [2021-04-07T11:52:21.155171] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='substr'<br>
                  [2021-04-07T11:52:21.155173] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='strip'<br>
                  [2021-04-07T11:52:21.155176] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='sanitize'<br>
                  [2021-04-07T11:52:21.155178] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='lowercase'<br>
                  [2021-04-07T11:52:21.155180] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='uppercase'<br>
                  [2021-04-07T11:52:21.155183] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='replace-delimiter'<br>
                  [2021-04-07T11:52:21.155185] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='padding'<br>
                  [2021-04-07T11:52:21.155201] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='binary'<br>
                  [2021-04-07T11:52:21.155204] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='implode'<br>
                  [2021-04-07T11:52:21.155207] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='explode'<br>
                  [2021-04-07T11:52:21.155209] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='dirname'<br>
                  [2021-04-07T11:52:21.155214] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='basename'<br>
                  [2021-04-07T11:52:21.155217] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-concat'<br>
                  [2021-04-07T11:52:21.155219] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-head'<br>
                  [2021-04-07T11:52:21.155222] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-nth'<br>
                  [2021-04-07T11:52:21.155224] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-tail'<br>
                  [2021-04-07T11:52:21.155227] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-slice'<br>
                  [2021-04-07T11:52:21.155230] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-count'<br>
                  [2021-04-07T11:52:21.155232] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-append'<br>
                  [2021-04-07T11:52:21.155234] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='list-search'<br>
                  [2021-04-07T11:52:21.155237] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='+'<br>
                  [2021-04-07T11:52:21.155239] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='-'<br>
                  [2021-04-07T11:52:21.155241] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='*'<br>
                  [2021-04-07T11:52:21.155243] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='/'<br>
                  [2021-04-07T11:52:21.155245] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='%'<br>
                  [2021-04-07T11:52:21.155248] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='sum'<br>
                  [2021-04-07T11:52:21.155255] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='min'<br>
                  [2021-04-07T11:52:21.155257] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='max'<br>
                  [2021-04-07T11:52:21.155259] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='average'<br>
                  [2021-04-07T11:52:21.155261] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='round'<br>
                  [2021-04-07T11:52:21.155267] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='ceil'<br>
                  [2021-04-07T11:52:21.155272] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='floor'<br>
                  [2021-04-07T11:52:21.155275] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='ipv4-to-int'<br>
                  [2021-04-07T11:52:21.155277] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='indent-multi-line'<br>
                  [2021-04-07T11:52:21.155279] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='dns-resolve-ip'<br>
                  [2021-04-07T11:52:21.155281] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='env'<br>
                  [2021-04-07T11:52:21.155284] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='template'<br>
                  [2021-04-07T11:52:21.155286] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='url-encode'<br>
                  [2021-04-07T11:52:21.155288] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='url-decode'<br>
                  [2021-04-07T11:52:21.155291] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='base64-encode'<br>
                  [2021-04-07T11:52:21.155294] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='iterate'<br>
                  [2021-04-07T11:52:21.155297] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='map'<br>
                  [2021-04-07T11:52:21.155300] Registering candidate
                  plugin; module='basicfuncs', context='template-func',
                  name='filter'<br>
                  [2021-04-07T11:52:21.155330] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libazure-auth-header.so',
                  module='azure-auth-header'<br>
                  [2021-04-07T11:52:21.155422] Registering candidate
                  plugin; module='azure-auth-header',
                  context='inner-dest', name='azure-auth-header'<br>
                  [2021-04-07T11:52:21.155440] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libappmodel.so', module='appmodel'<br>
                  [2021-04-07T11:52:21.155445] Registering candidate
                  plugin; module='appmodel', context='root',
                  name='application'<br>
                  [2021-04-07T11:52:21.155448] Registering candidate
                  plugin; module='appmodel', context='parser',
                  name='app-parser'<br>
                  [2021-04-07T11:52:21.155450] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libafuser.so', module='afuser'<br>
                  [2021-04-07T11:52:21.155549] Registering candidate
                  plugin; module='afuser', context='destination',
                  name='usertty'<br>
                  [2021-04-07T11:52:21.155565] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libafstomp.so', module='afstomp'<br>
                  [2021-04-07T11:52:21.155641] Registering candidate
                  plugin; module='afstomp', context='destination',
                  name='stomp'<br>
                  [2021-04-07T11:52:21.155653] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libafsocket.so', module='afsocket'<br>
                  [2021-04-07T11:52:21.155816] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='unix-stream'<br>
                  [2021-04-07T11:52:21.155821] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='unix-stream'<br>
                  [2021-04-07T11:52:21.155824] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='unix-dgram'<br>
                  [2021-04-07T11:52:21.155827] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='unix-dgram'<br>
                  [2021-04-07T11:52:21.155829] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='tcp'<br>
                  [2021-04-07T11:52:21.155832] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='tcp'<br>
                  [2021-04-07T11:52:21.155834] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='tcp6'<br>
                  [2021-04-07T11:52:21.155837] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='tcp6'<br>
                  [2021-04-07T11:52:21.155839] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='udp'<br>
                  [2021-04-07T11:52:21.155841] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='udp'<br>
                  [2021-04-07T11:52:21.155844] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='udp6'<br>
                  [2021-04-07T11:52:21.155846] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='udp6'<br>
                  [2021-04-07T11:52:21.155857] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='syslog'<br>
                  [2021-04-07T11:52:21.155860] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='syslog'<br>
                  [2021-04-07T11:52:21.155863] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='network'<br>
                  [2021-04-07T11:52:21.155865] Registering candidate
                  plugin; module='afsocket', context='destination',
                  name='network'<br>
                  [2021-04-07T11:52:21.155867] Registering candidate
                  plugin; module='afsocket', context='source',
                  name='systemd-syslog'<br>
                  [2021-04-07T11:52:21.155886] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libafprog.so', module='afprog'<br>
                  [2021-04-07T11:52:21.155979] Registering candidate
                  plugin; module='afprog', context='source',
                  name='program'<br>
                  [2021-04-07T11:52:21.155986] Registering candidate
                  plugin; module='afprog', context='destination',
                  name='program'<br>
                  [2021-04-07T11:52:21.156000] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libaffile.so', module='affile'<br>
                  [2021-04-07T11:52:21.156140] Registering candidate
                  plugin; module='affile', context='source', name='file'<br>
                  [2021-04-07T11:52:21.156176] Registering candidate
                  plugin; module='affile', context='source', name='pipe'<br>
                  [2021-04-07T11:52:21.156181] Registering candidate
                  plugin; module='affile', context='source',
                  name='wildcard_file'<br>
                  [2021-04-07T11:52:21.156184] Registering candidate
                  plugin; module='affile', context='source',
                  name='stdin'<br>
                  [2021-04-07T11:52:21.156187] Registering candidate
                  plugin; module='affile', context='destination',
                  name='file'<br>
                  [2021-04-07T11:52:21.156189] Registering candidate
                  plugin; module='affile', context='destination',
                  name='pipe'<br>
                  [2021-04-07T11:52:21.156209] Reading shared object for
                  a candidate module; path='/usr/lib64/syslog-ng',
                  fname='libadd-contextual-data.so',
                  module='add-contextual-data'<br>
                  [2021-04-07T11:52:21.156308] Registering candidate
                  plugin; module='add-contextual-data',
                  context='parser', name='add_contextual_data'<br>
                  [2021-04-07T11:52:21.156434] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156450] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156674] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156687] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156832] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156841] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156931] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.156943] Starting to read include
                  file;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157022] Finishing include;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157029] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157074] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157078] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157107] Included file was skipped
                  because of a missing module; module='mod-java',
                  location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1'<br>
                  [2021-04-07T11:52:21.157109] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157114] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157173] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157179] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157232] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157236] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157262] Included file was skipped
                  because of a missing module; module='mod-java',
                  location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1'<br>
                  [2021-04-07T11:52:21.157264] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157269] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157309] Global value changed;
                  define='kafka-implementation', value='kafka-java'<br>
                  [2021-04-07T11:52:21.157328] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157336] Starting to read include
                  file;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157375] Finishing include;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157379] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157493] Module loaded and
                  initialized successfully; module='confgen'<br>
                  [2021-04-07T11:52:21.157512] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157519] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157559] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157565] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157597] Included file was skipped
                  because of a missing module; module='pacctformat',
                  location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1'<br>
                  [2021-04-07T11:52:21.157600] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157605] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157905] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157919] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.157969] Global value changed;
                  define='balabit.credit-card-regexp',
value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})'<br>
                  [2021-04-07T11:52:21.157998] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.158007] Starting to read include
                  file;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.158073] Finishing include;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.158079] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.158120] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.158131] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161593] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161620] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161724] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161729] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161803] Module loaded and
                  initialized successfully; module='confgen'<br>
                  [2021-04-07T11:52:21.161808] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161815] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161853] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161860] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161951] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.161964] Starting to read include
                  file;
                  filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.162008] Finishing include;
                  filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
                  depth='2'<br>
                  [2021-04-07T11:52:21.162024] Global value changed;
                  define='java-module-dir',
                  value='/usr/lib64/syslog-ng/java-modules'<br>
                  [2021-04-07T11:52:21.162028] Finishing include;
                  filename='/etc/syslog-ng/scl.conf', depth='1'<br>
                  [2021-04-07T11:52:21.162157] Module loaded and
                  initialized successfully; module='system-source'<br>
                  [2021-04-07T11:52:21.162188] system(): Enabling Linux
                  kernel log device; device='/dev/kmsg',
                  format='linux-kmsg'<br>
                  [2021-04-07T11:52:21.162403] Module loaded and
                  initialized successfully; module='afsocket'<br>
                  [2021-04-07T11:52:21.162936] Module loaded and
                  initialized successfully; module='affile'<br>
                  [2021-04-07T11:52:21.163175] Module loaded and
                  initialized successfully; module='kvformat'<br>
                  [2021-04-07T11:52:21.163192] Finishing include;
                  content='block parser iptables-parser() at
                  /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23',
                  depth='3'<br>
                  [2021-04-07T11:52:21.163568] Module loaded and
                  initialized successfully; module='csvparser'<br>
                  [2021-04-07T11:52:21.164457] Finishing include;
                  content='block parser panos-parser() at
                  /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29',
                  depth='3'<br>
                  [2021-04-07T11:52:21.164880] Module loaded and
                  initialized successfully; module='basicfuncs'<br>
                  [2021-04-07T11:52:21.164936] Finishing include;
                  content='block parser sudo-parser() at
                  /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23',
                  depth='3'<br>
                  [2021-04-07T11:52:21.164995] Finishing include;
                  content='parser generator app-parser', depth='2'<br>
                  [2021-04-07T11:52:21.165016] Finishing include;
                  content='source generator system', depth='1'<br>
                  [2021-04-07T11:52:21.165525] Module loaded and
                  initialized successfully; module='syslogformat'<br>
                  [2021-04-07T11:52:21.165711] Module loaded and
                  initialized successfully; module='linux-kmsg-format'<br>
                  [2021-04-07T11:52:21.165966] Running application
                  hooks; hook='1'<br>
                  [2021-04-07T11:52:21.165971] Running application
                  hooks; hook='6'<br>
                  [2021-04-07T11:52:21.165984] syslog-ng starting up;
                  version='3.30.1'<br>
                  [2021-04-07T11:52:21.165989] Running application
                  hooks; hook='2'<br>
                  [2021-04-07T11:52:39.961046] Running application
                  hooks; hook='3'<br>
                  [2021-04-07T11:52:39.961090] syslog-ng shutting down;
                  version='3.30.1'<br>
                  [2021-04-07T11:52:40.061679] Running application
                  hooks; hook='4'<br>
-----------------------------------------------------------------------------<br>
                </p>
                <div>On 4/7/2021 4:51 AM, Balazs Scheidler wrote:<br>
                </div>
                <br>
                <blockquote type="cite" style="margin:0 0 0 .8ex;
                  border-left:2px #729fcf solid;padding-left:1ex">
                  <div dir="ltr">
                    <div>can you start syslog-ng in the foreground and
                      look at the startup messages?</div>
                    <div><br>
                    </div>
                    <div>e.g. stop the background process (via systemd
                      or your init system), and run syslog-ng from a
                      root prompt:<br>
                    </div>
                    <div><br>
                    </div>
                    <div># /usr/sbin/syslog-ng -Fedv</div>
                    <div><br>
                    </div>
                    <div>This should start syslog-ng in the foreground
                      (-F), direct internal messages to stderr (-e), and
                      enable debug/verbose messages. Then look at the
                      messages to see if syslog-ng is complaining about
                      your configuration or not.</div>
                    <div><br>
                    </div>
                    <div>Cheers,</div>
                    <div>Bazsi<br>
                    </div>
                    <div><br>
                    </div>
                  </div>
                  <div> <br>
                  </div>
                  <div class="gmail_quote">
                    <div dir="ltr" class="gmail_attr">On Wed, Apr 7,
                      2021 at 9:08 AM Dan Egli <a
                        href="mailto:dan@newideatest.site"
                        target="_blank" moz-do-not-send="true"><dan@newideatest.site></a>
                      wrote:<br>
                    </div>
                    <br>
                    <blockquote type="cite" style="margin:0 0 0 .8ex;
                      border-left:2px #729fcf solid;padding-left:1ex">
                      <div>
                        <p>Don't know how that slipped in there. And
                          syslog-ng never mentioned it. It's fixed now,
                          and the behavior is unchanged. sshd messages
                          still appear in /var/log/messages.</p>
                        <p><br>
                        </p>
                        <div>On 4/7/2021 12:55 AM, Balazs Scheidler
                          wrote:<br>
                        </div>
                        <br>
                        <blockquote type="cite" style="margin:0 0 0
                          .8ex; border-left:2px #729fcf
                          solid;padding-left:1ex">
                          <div dir="auto">
                            <div><br>
                              <br>
                              <div class="gmail_quote">
                                <div dir="ltr" class="gmail_attr">On
                                  Wed, Apr 7, 2021, 08:06 Dan Egli <a
                                    href="mailto:dan@newideatest.site"
                                    target="_blank"
                                    moz-do-not-send="true"><dan@newideatest.site></a>
                                  wrote:<br>
                                </div>
                                <br>
                                <blockquote type="cite" style="margin:0
                                  0 0 .8ex; border-left:2px #729fcf
                                  solid;padding-left:1ex">
                                  <div>No joy. I tried swapping it
                                    different ways.<br>
                                    <br>
                                    filter -> source ->
                                    destination = combined<br>
                                    source -> filter ->
                                    destination = combined<br>
                                    <br>
                                    Here's what my config looks like
                                    now, after the second variant:<br>
                                    <br>
                                    @version: 3.30<br>
                                    <br>
                                    @include "scl.conf"<br>
                                    <br>
                                    options {<br>
                                         threaded(yes);<br>
                                         chain_hostnames(no);<br>
                                         stats_freq(43200);<br>
                                         mark_freq(3600);<br>
                                    };<br>
                                    <br>
                                    source src { system(); internal();
                                    };<br>
                                    <br>
                                    filter samba { program("samba"); };<br>
                                    filter ssh_messages {
                                    facility("AUTH") and level("INFO");
                                    };<br>
                                    filter syslog { not
                                    filter("ssh_messages") and not
                                    filter("samba"); };<br>
                                    <br>
                                    destination console {
                                    file("/dev/tty12"); };<br>
                                    destination messages {
                                    file("/var/log/messages"); };<br>
                                    destination sshd_log {
                                    file("/var/log/sshd/sshd.log"); };<br>
                                    destination smb_logs {
                                    file("/var/log/samba/samba.log"); };<br>
                                    <br>
                                    log { source(src); filter(samba);
                                    destination(smb_logs); flags(final);
                                    );<br>
                                  </div>
                                  <br>
                                </blockquote>
                              </div>
                            </div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto">You are using a closing
                              paren instead of a brace. This config has
                              a syntax error. Possibly syslog-ng falled
                              back to the original config, once it
                              reported a syntax error.</div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto">
                              <div class="gmail_quote"> <br>
                                <blockquote type="cite" style="margin:0
                                  0 0 .8ex; border-left:2px #729fcf
                                  solid;padding-left:1ex">
                                  <div> log { source(src);
                                    filter(ssh_messages);
                                    destination(sshd_log); <br>
                                    flags(final); };<br>
                                    log { source(src); filter(syslog);
                                    destination(console); };<br>
                                    log { source(src); filter(syslog);
                                    destination(messages); };<br>
                                    <br>
                                    <br>
                                    Still, sshd messages are appearing
                                    in /var/log/messages.<br>
                                    <br>
                                    On 4/6/2021 11:51 PM, Peter Kokai
                                    (pkokai) wrote:<br>
                                    > Hello,<br>
                                    ><br>
                                    > The order in the configuration
                                    matters.<br>
                                    > log { source(src);
                                    destination(console);
                                    filter(syslog); };<br>
                                    > The message flow is the
                                    following in your example
                                    source(src) ->
                                    destination(console) ->
                                    filter(syslog) -> void<br>
                                    > The filter recieves messages
                                    only after destination, if you
                                    switch filter and destination it
                                    should be fine.<br>
                                    ><br>
                                    > --<br>
                                    > kokan<br>
                                    ><br>
                                    >
                                    ________________________________________<br>
                                    > From: syslog-ng <<a
                                      href="mailto:syslog-ng-bounces@lists.balabit.hu"
                                      rel="noreferrer" target="_blank"
                                      moz-do-not-send="true">syslog-ng-bounces@lists.balabit.hu</a>>
                                    on behalf of Dan Egli <a
                                      href="mailto:dan@newideatest.site"
                                      target="_blank"
                                      moz-do-not-send="true"><dan@newideatest.site></a><br>
                                    > Sent: 07 April 2021 07:17<br>
                                    > To: <a
                                      href="mailto:syslog-ng@lists.balabit.hu"
                                      rel="noreferrer" target="_blank"
                                      moz-do-not-send="true">syslog-ng@lists.balabit.hu</a><br>
                                    > Subject: [syslog-ng] Syslog-ng
                                    not honoring negative flag<br>
                                    ><br>
                                    > CAUTION: This email originated
                                    from outside of the organization. Do
                                    not follow guidance, click links, or
                                    open attachments unless you
                                    recognize the sender and know the
                                    content is safe.<br>
                                    ><br>
                                    ><br>
                                    > I'm having a bit of a problem
                                    and hope someone here can help. I'm
                                    trying<br>
                                    > to separate individual items
                                    into specific logs, i.e. ssh events
                                    in<br>
                                    > sshd.log, samba messages in
                                    samba.log, etc...<br>
                                    ><br>
                                    > I managed to come up with
                                    filters that pull out the events I
                                    started<br>
                                    > with, and they are going into
                                    the correct log files. But they are
                                    ALSO<br>
                                    > going into /var/log/messages
                                    even though I specifically have a
                                    filter on<br>
                                    > that one that says not to
                                    include samba or sshd events. I'll
                                    copy my<br>
                                    > config file here. Hopefully
                                    someone can tell me what I did
                                    wrong.<br>
                                    ><br>
                                    > Thanks!<br>
                                    ><br>
                                    >
                                    ---------------------------------------------<br>
                                    > @version: 3.30<br>
                                    ><br>
                                    > @include "scl.conf"<br>
                                    ><br>
                                    > options {<br>
                                    >       threaded(yes);<br>
                                    >       chain_hostnames(no);<br>
                                    >       stats_freq(43200);<br>
                                    >       mark_freq(3600);<br>
                                    > };<br>
                                    ><br>
                                    > source src { system();
                                    internal(); };<br>
                                    ><br>
                                    > filter samba {
                                    program("samba"); };<br>
                                    > filter ssh_messages {
                                    facility("AUTH") and level("INFO");
                                    };<br>
                                    > filter syslog { not
                                    filter("ssh_messages") and not
                                    filter("samba"); };<br>
                                    ><br>
                                    > destination console {
                                    file("/dev/tty12"); };<br>
                                    > destination messages {
                                    file("/var/log/messages"); };<br>
                                    > destination sshd_log {
                                    file("/var/log/sshd/sshd.log"); };<br>
                                    > destination smb_logs {
                                    file("/var/log/samba/samba.log"); };<br>
                                    ><br>
                                    > log { source(src);
                                    destination(smb_logs);
                                    filter(samba); flags(final); );<br>
                                    > log { source(src);
                                    destination(sshd_log);
                                    filter(ssh_messages);<br>
                                    > flags(final); };<br>
                                    > log { source(src);
                                    destination(console);
                                    filter(syslog); };<br>
                                    > log { source(src);
                                    destination(messages);
                                    filter(syslog); };<br>
                                    ><br>
                                    >
______________________________________________________________________________<br>
                                    > Member info: <a
href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&amp;reserved=0"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&amp;reserved=0</a><br>
                                    > Documentation: <a
href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&amp;reserved=0"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&amp;reserved=0</a><br>
                                    > FAQ: <a
href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&amp;reserved=0"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&amp;reserved=0</a><br>
                                    ><br>
                                    >
______________________________________________________________________________<br>
                                    > Member info: <a
                                      href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
                                    > Documentation: <a
                                      href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
                                    > FAQ: <a
                                      href="http://www.balabit.com/wiki/syslog-ng-faq"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                                    ><br>
______________________________________________________________________________<br>
                                    Member info: <a
                                      href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
                                    Documentation: <a
                                      href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
                                    FAQ: <a
                                      href="http://www.balabit.com/wiki/syslog-ng-faq"
                                      rel="noreferrer noreferrer"
                                      target="_blank"
                                      moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                                    <br>
                                  </div>
                                  <br>
                                </blockquote>
                              </div>
                            </div>
                          </div>
                          <div> <br>
                            <fieldset></fieldset>
                          </div>
                          <pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
                        </blockquote>
                      </div>
                      <br>
                    </blockquote>
                  </div>
                  <div> <br clear="all">
                    <br>
                    -- <br>
                  </div>
                  <div dir="ltr">Bazsi</div>
                </blockquote>
              </div>
              <div>______________________________________________________________________________<br>
                Member info: <a
                  href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                  rel="noreferrer" target="_blank"
                  moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
                Documentation: <a
                  href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                  rel="noreferrer" target="_blank"
                  moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
                FAQ: <a
                  href="http://www.balabit.com/wiki/syslog-ng-faq"
                  rel="noreferrer" target="_blank"
                  moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
                <br>
              </div>
              <br>
            </blockquote>
          </div>
          <div> <br>
            <fieldset class="mimeAttachmentHeader"></fieldset>
          </div>
          <pre>______________________________________________________________________________</pre>
          <pre>Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></pre>
          <pre>Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a></pre>
          <pre>FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a></pre>
          <div>______________________________________________________________________________<br>
          </div>
          <div>Member info: <a
              href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
              moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
          </div>
          <div>Documentation: <a
              href="http://www.balabit.com/support/documentation/?product=syslog-ng"
              moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
          </div>
          <div>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
              moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
          </div>
          <div><br>
          </div>
        </blockquote>
        <div><br>
        </div>
        <div><span></span></div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
      </blockquote>
    </blockquote>
  </body>
</html>