<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Looks like there's a bug in the lastest version of Thunderbird or
something, because I see three messages that are incomplete copies
of what I am about to send. I will look further into that while I
wait for more advice from you guys.<br>
</p>
<div class="moz-cite-prefix">On 4/7/2021 7:19 PM, Dan Egli wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0be95133-9079-cf34-60a9-defe35fc8326@newideatest.site">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Those are the only ones I'm seeing in either log. Let me test
it a bit, see if startup/shutdown messages occur too.</p>
<p>Not only that, I am seeing samba messages in the sshd log, and
I should not. When I do lsof, it seems the samba daemon is
writing it's own logs, so it's not surprising that there's no
errors in that log. But why am I seeing samba messages in
sshd.log, and why am I seeing samba and sshd in
/var/log/messages.</p>
<p>And if what you say about the security/auth is correct, then
something else is screwy here because I ONLY have auth/info
listed. NOT authpriv. Frankly, i'd say that it sounds like I
need to just change to program("sshd") but I'm not sure if that
will fix anything. I'll do that, just to see. <br>
</p>
<div class="moz-cite-prefix">On 4/7/2021 12:48 PM, SZALAY Attila
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:57ca4e46e3ad55227fbfdcf7fc804a057a30fbc6.camel@ubainba.hu">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div>Hi Dan,</div>
<div><br>
</div>
<div>The next important question is that do you see all sshd log
messages in /var/log/messages or just some of them. I see two
kind of sshd related log message:</div>
<div><br>
</div>
<div>[2021-04-07T12:29:43.875056] Incoming log entry;
line='<38>Apr 7 12:29:43 sshd[30745]: Accepted
keyboard-interactive/pam for dan from XXXX port 40747 ssh2'</div>
<div>[2021-04-07T12:29:43.878136] Incoming log entry;
line='<86>Apr 7 12:29:43 sshd[30745]:
pam_unix(sshd:session): session opened for user dan(uid=1001)
by (uid=0)'</div>
<div><br>
</div>
<div>As the two has different values in <>, at least one
of them is differ from auth/info.</div>
<div><br>
</div>
<div>By the way <38> is security(4)/info and <86> is
security(10)/info. So both are security/auth message in some
way but still different facilities (4 and 6) which is called
as auth(4) and authpriv(10) within syslog-ng.</div>
<div><br>
</div>
<div>On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div> Okay. I captured a couple of minutes worth of syslog-ng
running. It's too big to post (1.5MB) so I put it up on my
web server. You can see it at: <a
class="moz-txt-link-freetext"
href="https://www.newideatest.site/syslog-out"
moz-do-not-send="true">https://www.newideatest.site/syslog-out</a><br>
</div>
<div class="moz-cite-prefix">On 4/7/2021 12:07 PM, SZIGETVÁRI
János wrote:<br>
</div>
<div>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
</div>
<div dir="ltr">
<div>Hello Dan,</div>
<div><br>
</div>
<div>I believe that Bazsi (Balázs) wasn't really looking for
the startup messages about the config being parsed, but
instead about the debug/trace output of the log processing
pipeline.</div>
<div>There he would be able to check which filters were run
against a certain message (its actual content too), and
what result those filters returned.</div>
<div>I think that's what he's primarily after.</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>János</div>
<div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">--</div>
<div dir="ltr">Janos
SZIGETVARI<br>
<span>RHCE,
License no. <a
href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692"
target="_blank"
moz-do-not-send="true">150-053-692</a></span><br>
</div>
<div dir="ltr"><span><br>
</span></div>
<div dir="ltr"><span>LinkedIn:
<a
href="http://linkedin.com/in/janosszigetvari"
target="_blank" moz-do-not-send="true">linkedin.com/in/janosszigetvari</a></span></div>
<div dir="ltr">Web:
<a
href="https://janos.szigetvari.com"
target="_blank" moz-do-not-send="true">janos.szigetvari.com</a><br>
<br>
__@__˚V˚<br>
Make the switch
to open (source)
applications,
protocols,
formats now:<br>
- windows ->
Linux, iexplore
-> Firefox,
msoffice ->
LibreOffice<br>
- msn ->
jabber protocol
(Pidgin, Google
Talk)<br>
- mp3 -> ogg,
wmv -> ogg,
jpg -> png,
doc/xls/ppt
->
odt/ods/odp</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<div> <br>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Dan Egli <a
class="moz-txt-link-rfc2396E"
href="mailto:dan@newideatest.site"
moz-do-not-send="true"><dan@newideatest.site></a>
ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):<br>
</div>
<br>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div>
<p>Syslog-ng is NOT complaining about my config at all.
I've included the output from the -Fedv below. Other
than what I would call "routine" errors in the scl
section, no complaints.</p>
<p>---------------------------------<br>
[2021-04-07T11:52:21.151347] Processing @include
statement; filename='scl.conf',
include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'<br>
[2021-04-07T11:52:21.151420] Starting to read include
file; filename='/etc/syslog-ng/scl.conf', depth='1'<br>
[2021-04-07T11:52:21.151596] Module loaded and
initialized successfully; module='appmodel'<br>
[2021-04-07T11:52:21.151612] Processing @include
statement; filename='scl/*/*.conf',
include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'<br>
[2021-04-07T11:52:21.151782] Adding include file;
filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
depth='2'<br>
[2021-04-07T11:52:21.151787] Adding include file;
filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151790] Adding include file;
filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151792] Adding include file;
filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151794] Adding include file;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151797] Adding include file;
filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151799] Adding include file;
filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151802] Adding include file;
filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
depth='2'<br>
[2021-04-07T11:52:21.151804] Adding include file;
filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151807] Adding include file;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
depth='2'<br>
[2021-04-07T11:52:21.151809] Adding include file;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
depth='2'<br>
[2021-04-07T11:52:21.151811] Adding include file;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
depth='2'<br>
[2021-04-07T11:52:21.151814] Adding include file;
filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151816] Adding include file;
filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
depth='2'<br>
[2021-04-07T11:52:21.151819] Adding include file;
filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151821] Adding include file;
filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
depth='2'<br>
[2021-04-07T11:52:21.151824] Adding include file;
filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
depth='2'<br>
[2021-04-07T11:52:21.151826] Adding include file;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
depth='2'<br>
[2021-04-07T11:52:21.151906] Adding include file;
filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151912] Adding include file;
filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
depth='2'<br>
[2021-04-07T11:52:21.151915] Adding include file;
filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
depth='2'<br>
[2021-04-07T11:52:21.151917] Adding include file;
filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151920] Adding include file;
filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151922] Adding include file;
filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151925] Adding include file;
filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.151933] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
depth='2'<br>
[2021-04-07T11:52:21.151993] Reading path for
candidate modules; path='/usr/lib64/syslog-ng'<br>
[2021-04-07T11:52:21.152064] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libxml.so', module='xml'<br>
[2021-04-07T11:52:21.152174] Registering candidate
plugin; module='xml', context='parser', name='xml'<br>
[2021-04-07T11:52:21.152200] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libtags-parser.so', module='tags-parser'<br>
[2021-04-07T11:52:21.152263] Registering candidate
plugin; module='tags-parser', context='parser',
name='tags-parser'<br>
[2021-04-07T11:52:21.152277] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libsystem-source.so', module='system-source'<br>
[2021-04-07T11:52:21.152336] Registering candidate
plugin; module='system-source', context='source',
name='system'<br>
[2021-04-07T11:52:21.152349] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libsyslogformat.so', module='syslogformat'<br>
[2021-04-07T11:52:21.152414] Registering candidate
plugin; module='syslogformat', context='format',
name='syslog'<br>
[2021-04-07T11:52:21.152417] Registering candidate
plugin; module='syslogformat', context='parser',
name='syslog-parser'<br>
[2021-04-07T11:52:21.152428] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libstardate.so', module='stardate'<br>
[2021-04-07T11:52:21.152619] Registering candidate
plugin; module='stardate', context='template-func',
name='stardate'<br>
[2021-04-07T11:52:21.152661] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libsecure-logging.so', module='secure-logging'<br>
[2021-04-07T11:52:21.152746] Registering candidate
plugin; module='secure-logging',
context='template-func', name='slog'<br>
[2021-04-07T11:52:21.152760] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libpseudofile.so', module='pseudofile'<br>
[2021-04-07T11:52:21.152832] Registering candidate
plugin; module='pseudofile', context='destination',
name='pseudofile'<br>
[2021-04-07T11:52:21.152904] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libmap-value-pairs.so',
module='map-value-pairs'<br>
[2021-04-07T11:52:21.152989] Registering candidate
plugin; module='map-value-pairs', context='parser',
name='map_value_pairs'<br>
[2021-04-07T11:52:21.153005] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='liblinux-kmsg-format.so',
module='linux-kmsg-format'<br>
[2021-04-07T11:52:21.153170] Registering candidate
plugin; module='linux-kmsg-format', context='format',
name='linux-kmsg'<br>
[2021-04-07T11:52:21.153191] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libkvformat.so', module='kvformat'<br>
[2021-04-07T11:52:21.153261] Registering candidate
plugin; module='kvformat', context='parser',
name='kv-parser'<br>
[2021-04-07T11:52:21.153265] Registering candidate
plugin; module='kvformat', context='parser',
name='linux-audit-parser'<br>
[2021-04-07T11:52:21.153268] Registering candidate
plugin; module='kvformat', context='template-func',
name='format-welf'<br>
[2021-04-07T11:52:21.153279] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libhook-commands.so', module='hook-commands'<br>
[2021-04-07T11:52:21.153339] Registering candidate
plugin; module='hook-commands', context='inner-dest',
name='hook-commands'<br>
[2021-04-07T11:52:21.153343] Registering candidate
plugin; module='hook-commands', context='inner-src',
name='hook-commands'<br>
[2021-04-07T11:52:21.153355] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libgraphite.so', module='graphite'<br>
[2021-04-07T11:52:21.153408] Registering candidate
plugin; module='graphite', context='template-func',
name='graphite_output'<br>
[2021-04-07T11:52:21.153418] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libtfgetent.so', module='tfgetent'<br>
[2021-04-07T11:52:21.153468] Registering candidate
plugin; module='tfgetent', context='template-func',
name='getent'<br>
[2021-04-07T11:52:21.153479] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libexamples.so', module='examples'<br>
[2021-04-07T11:52:21.153646] Registering candidate
plugin; module='examples', context='source',
name='example_msg_generator'<br>
[2021-04-07T11:52:21.153654] Registering candidate
plugin; module='examples', context='source',
name='example_random_generator'<br>
[2021-04-07T11:52:21.153660] Registering candidate
plugin; module='examples', context='source',
name='example_diskq_source'<br>
[2021-04-07T11:52:21.153670] Registering candidate
plugin; module='examples', context='inner-dest',
name='http_test_slots'<br>
[2021-04-07T11:52:21.153677] Registering candidate
plugin; module='examples', context='destination',
name='example_destination'<br>
[2021-04-07T11:52:21.153722] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libdisk-buffer.so', module='disk-buffer'<br>
[2021-04-07T11:52:21.153825] Registering candidate
plugin; module='disk-buffer', context='inner-dest',
name='disk_buffer'<br>
[2021-04-07T11:52:21.153846] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libdbparser.so', module='dbparser'<br>
[2021-04-07T11:52:21.154065] Registering candidate
plugin; module='dbparser', context='parser',
name='db-parser'<br>
[2021-04-07T11:52:21.154076] Registering candidate
plugin; module='dbparser', context='parser',
name='grouping-by'<br>
[2021-04-07T11:52:21.154100] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libtimestamp.so', module='timestamp'<br>
[2021-04-07T11:52:21.154260] Registering candidate
plugin; module='timestamp', context='parser',
name='date-parser'<br>
[2021-04-07T11:52:21.154267] Registering candidate
plugin; module='timestamp', context='rewrite',
name='fix-time-zone'<br>
[2021-04-07T11:52:21.154270] Registering candidate
plugin; module='timestamp', context='rewrite',
name='set-time-zone'<br>
[2021-04-07T11:52:21.154279] Registering candidate
plugin; module='timestamp', context='rewrite',
name='guess-time-zone'<br>
[2021-04-07T11:52:21.154296] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libcsvparser.so', module='csvparser'<br>
[2021-04-07T11:52:21.154366] Registering candidate
plugin; module='csvparser', context='parser',
name='csv-parser'<br>
[2021-04-07T11:52:21.154381] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libcryptofuncs.so', module='cryptofuncs'<br>
[2021-04-07T11:52:21.154452] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='uuid'<br>
[2021-04-07T11:52:21.154459] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='hash'<br>
[2021-04-07T11:52:21.154657] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='sha1'<br>
[2021-04-07T11:52:21.154662] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='sha256'<br>
[2021-04-07T11:52:21.154665] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='sha512'<br>
[2021-04-07T11:52:21.154667] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='md4'<br>
[2021-04-07T11:52:21.154673] Registering candidate
plugin; module='cryptofuncs', context='template-func',
name='md5'<br>
[2021-04-07T11:52:21.154689] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libconfgen.so', module='confgen'<br>
[2021-04-07T11:52:21.154788] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libcef.so', module='cef'<br>
[2021-04-07T11:52:21.154912] Registering candidate
plugin; module='cef', context='template-func',
name='format-cef-extension'<br>
[2021-04-07T11:52:21.154935] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libbasicfuncs.so', module='basicfuncs'<br>
[2021-04-07T11:52:21.155134] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='grep'<br>
[2021-04-07T11:52:21.155142] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='if'<br>
[2021-04-07T11:52:21.155145] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='or'<br>
[2021-04-07T11:52:21.155148] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='context-lookup'<br>
[2021-04-07T11:52:21.155150] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='context-length'<br>
[2021-04-07T11:52:21.155156] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='context-values'<br>
[2021-04-07T11:52:21.155158] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='echo'<br>
[2021-04-07T11:52:21.155165] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='length'<br>
[2021-04-07T11:52:21.155171] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='substr'<br>
[2021-04-07T11:52:21.155173] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='strip'<br>
[2021-04-07T11:52:21.155176] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='sanitize'<br>
[2021-04-07T11:52:21.155178] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='lowercase'<br>
[2021-04-07T11:52:21.155180] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='uppercase'<br>
[2021-04-07T11:52:21.155183] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='replace-delimiter'<br>
[2021-04-07T11:52:21.155185] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='padding'<br>
[2021-04-07T11:52:21.155201] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='binary'<br>
[2021-04-07T11:52:21.155204] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='implode'<br>
[2021-04-07T11:52:21.155207] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='explode'<br>
[2021-04-07T11:52:21.155209] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='dirname'<br>
[2021-04-07T11:52:21.155214] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='basename'<br>
[2021-04-07T11:52:21.155217] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-concat'<br>
[2021-04-07T11:52:21.155219] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-head'<br>
[2021-04-07T11:52:21.155222] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-nth'<br>
[2021-04-07T11:52:21.155224] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-tail'<br>
[2021-04-07T11:52:21.155227] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-slice'<br>
[2021-04-07T11:52:21.155230] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-count'<br>
[2021-04-07T11:52:21.155232] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-append'<br>
[2021-04-07T11:52:21.155234] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='list-search'<br>
[2021-04-07T11:52:21.155237] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='+'<br>
[2021-04-07T11:52:21.155239] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='-'<br>
[2021-04-07T11:52:21.155241] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='*'<br>
[2021-04-07T11:52:21.155243] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='/'<br>
[2021-04-07T11:52:21.155245] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='%'<br>
[2021-04-07T11:52:21.155248] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='sum'<br>
[2021-04-07T11:52:21.155255] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='min'<br>
[2021-04-07T11:52:21.155257] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='max'<br>
[2021-04-07T11:52:21.155259] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='average'<br>
[2021-04-07T11:52:21.155261] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='round'<br>
[2021-04-07T11:52:21.155267] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='ceil'<br>
[2021-04-07T11:52:21.155272] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='floor'<br>
[2021-04-07T11:52:21.155275] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='ipv4-to-int'<br>
[2021-04-07T11:52:21.155277] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='indent-multi-line'<br>
[2021-04-07T11:52:21.155279] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='dns-resolve-ip'<br>
[2021-04-07T11:52:21.155281] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='env'<br>
[2021-04-07T11:52:21.155284] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='template'<br>
[2021-04-07T11:52:21.155286] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='url-encode'<br>
[2021-04-07T11:52:21.155288] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='url-decode'<br>
[2021-04-07T11:52:21.155291] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='base64-encode'<br>
[2021-04-07T11:52:21.155294] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='iterate'<br>
[2021-04-07T11:52:21.155297] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='map'<br>
[2021-04-07T11:52:21.155300] Registering candidate
plugin; module='basicfuncs', context='template-func',
name='filter'<br>
[2021-04-07T11:52:21.155330] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libazure-auth-header.so',
module='azure-auth-header'<br>
[2021-04-07T11:52:21.155422] Registering candidate
plugin; module='azure-auth-header',
context='inner-dest', name='azure-auth-header'<br>
[2021-04-07T11:52:21.155440] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libappmodel.so', module='appmodel'<br>
[2021-04-07T11:52:21.155445] Registering candidate
plugin; module='appmodel', context='root',
name='application'<br>
[2021-04-07T11:52:21.155448] Registering candidate
plugin; module='appmodel', context='parser',
name='app-parser'<br>
[2021-04-07T11:52:21.155450] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libafuser.so', module='afuser'<br>
[2021-04-07T11:52:21.155549] Registering candidate
plugin; module='afuser', context='destination',
name='usertty'<br>
[2021-04-07T11:52:21.155565] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libafstomp.so', module='afstomp'<br>
[2021-04-07T11:52:21.155641] Registering candidate
plugin; module='afstomp', context='destination',
name='stomp'<br>
[2021-04-07T11:52:21.155653] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libafsocket.so', module='afsocket'<br>
[2021-04-07T11:52:21.155816] Registering candidate
plugin; module='afsocket', context='source',
name='unix-stream'<br>
[2021-04-07T11:52:21.155821] Registering candidate
plugin; module='afsocket', context='destination',
name='unix-stream'<br>
[2021-04-07T11:52:21.155824] Registering candidate
plugin; module='afsocket', context='source',
name='unix-dgram'<br>
[2021-04-07T11:52:21.155827] Registering candidate
plugin; module='afsocket', context='destination',
name='unix-dgram'<br>
[2021-04-07T11:52:21.155829] Registering candidate
plugin; module='afsocket', context='source',
name='tcp'<br>
[2021-04-07T11:52:21.155832] Registering candidate
plugin; module='afsocket', context='destination',
name='tcp'<br>
[2021-04-07T11:52:21.155834] Registering candidate
plugin; module='afsocket', context='source',
name='tcp6'<br>
[2021-04-07T11:52:21.155837] Registering candidate
plugin; module='afsocket', context='destination',
name='tcp6'<br>
[2021-04-07T11:52:21.155839] Registering candidate
plugin; module='afsocket', context='source',
name='udp'<br>
[2021-04-07T11:52:21.155841] Registering candidate
plugin; module='afsocket', context='destination',
name='udp'<br>
[2021-04-07T11:52:21.155844] Registering candidate
plugin; module='afsocket', context='source',
name='udp6'<br>
[2021-04-07T11:52:21.155846] Registering candidate
plugin; module='afsocket', context='destination',
name='udp6'<br>
[2021-04-07T11:52:21.155857] Registering candidate
plugin; module='afsocket', context='source',
name='syslog'<br>
[2021-04-07T11:52:21.155860] Registering candidate
plugin; module='afsocket', context='destination',
name='syslog'<br>
[2021-04-07T11:52:21.155863] Registering candidate
plugin; module='afsocket', context='source',
name='network'<br>
[2021-04-07T11:52:21.155865] Registering candidate
plugin; module='afsocket', context='destination',
name='network'<br>
[2021-04-07T11:52:21.155867] Registering candidate
plugin; module='afsocket', context='source',
name='systemd-syslog'<br>
[2021-04-07T11:52:21.155886] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libafprog.so', module='afprog'<br>
[2021-04-07T11:52:21.155979] Registering candidate
plugin; module='afprog', context='source',
name='program'<br>
[2021-04-07T11:52:21.155986] Registering candidate
plugin; module='afprog', context='destination',
name='program'<br>
[2021-04-07T11:52:21.156000] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libaffile.so', module='affile'<br>
[2021-04-07T11:52:21.156140] Registering candidate
plugin; module='affile', context='source', name='file'<br>
[2021-04-07T11:52:21.156176] Registering candidate
plugin; module='affile', context='source', name='pipe'<br>
[2021-04-07T11:52:21.156181] Registering candidate
plugin; module='affile', context='source',
name='wildcard_file'<br>
[2021-04-07T11:52:21.156184] Registering candidate
plugin; module='affile', context='source',
name='stdin'<br>
[2021-04-07T11:52:21.156187] Registering candidate
plugin; module='affile', context='destination',
name='file'<br>
[2021-04-07T11:52:21.156189] Registering candidate
plugin; module='affile', context='destination',
name='pipe'<br>
[2021-04-07T11:52:21.156209] Reading shared object for
a candidate module; path='/usr/lib64/syslog-ng',
fname='libadd-contextual-data.so',
module='add-contextual-data'<br>
[2021-04-07T11:52:21.156308] Registering candidate
plugin; module='add-contextual-data',
context='parser', name='add_contextual_data'<br>
[2021-04-07T11:52:21.156434] Finishing include;
filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
depth='2'<br>
[2021-04-07T11:52:21.156450] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156674] Finishing include;
filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156687] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156832] Finishing include;
filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156841] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156931] Finishing include;
filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.156943] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157022] Finishing include;
filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157029] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157074] Finishing include;
filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157078] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157107] Included file was skipped
because of a missing module; module='mod-java',
location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1'<br>
[2021-04-07T11:52:21.157109] Finishing include;
filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157114] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
depth='2'<br>
[2021-04-07T11:52:21.157173] Finishing include;
filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
depth='2'<br>
[2021-04-07T11:52:21.157179] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157232] Finishing include;
filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157236] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
depth='2'<br>
[2021-04-07T11:52:21.157262] Included file was skipped
because of a missing module; module='mod-java',
location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1'<br>
[2021-04-07T11:52:21.157264] Finishing include;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
depth='2'<br>
[2021-04-07T11:52:21.157269] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
depth='2'<br>
[2021-04-07T11:52:21.157309] Global value changed;
define='kafka-implementation', value='kafka-java'<br>
[2021-04-07T11:52:21.157328] Finishing include;
filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf',
depth='2'<br>
[2021-04-07T11:52:21.157336] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
depth='2'<br>
[2021-04-07T11:52:21.157375] Finishing include;
filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
depth='2'<br>
[2021-04-07T11:52:21.157379] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157493] Module loaded and
initialized successfully; module='confgen'<br>
[2021-04-07T11:52:21.157512] Finishing include;
filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157519] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
depth='2'<br>
[2021-04-07T11:52:21.157559] Finishing include;
filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf',
depth='2'<br>
[2021-04-07T11:52:21.157565] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157597] Included file was skipped
because of a missing module; module='pacctformat',
location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1'<br>
[2021-04-07T11:52:21.157600] Finishing include;
filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.157605] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
depth='2'<br>
[2021-04-07T11:52:21.157905] Finishing include;
filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
depth='2'<br>
[2021-04-07T11:52:21.157919] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
depth='2'<br>
[2021-04-07T11:52:21.157969] Global value changed;
define='balabit.credit-card-regexp',
value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})'<br>
[2021-04-07T11:52:21.157998] Finishing include;
filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
depth='2'<br>
[2021-04-07T11:52:21.158007] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
depth='2'<br>
[2021-04-07T11:52:21.158073] Finishing include;
filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
depth='2'<br>
[2021-04-07T11:52:21.158079] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.158120] Finishing include;
filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.158131] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
depth='2'<br>
[2021-04-07T11:52:21.161593] Finishing include;
filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf',
depth='2'<br>
[2021-04-07T11:52:21.161620] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
depth='2'<br>
[2021-04-07T11:52:21.161724] Finishing include;
filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
depth='2'<br>
[2021-04-07T11:52:21.161729] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161803] Module loaded and
initialized successfully; module='confgen'<br>
[2021-04-07T11:52:21.161808] Finishing include;
filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161815] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161853] Finishing include;
filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161860] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161951] Finishing include;
filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.161964] Starting to read include
file;
filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.162008] Finishing include;
filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
depth='2'<br>
[2021-04-07T11:52:21.162024] Global value changed;
define='java-module-dir',
value='/usr/lib64/syslog-ng/java-modules'<br>
[2021-04-07T11:52:21.162028] Finishing include;
filename='/etc/syslog-ng/scl.conf', depth='1'<br>
[2021-04-07T11:52:21.162157] Module loaded and
initialized successfully; module='system-source'<br>
[2021-04-07T11:52:21.162188] system(): Enabling Linux
kernel log device; device='/dev/kmsg',
format='linux-kmsg'<br>
[2021-04-07T11:52:21.162403] Module loaded and
initialized successfully; module='afsocket'<br>
[2021-04-07T11:52:21.162936] Module loaded and
initialized successfully; module='affile'<br>
[2021-04-07T11:52:21.163175] Module loaded and
initialized successfully; module='kvformat'<br>
[2021-04-07T11:52:21.163192] Finishing include;
content='block parser iptables-parser() at
/usr/share/syslog-ng/include/scl/iptables/iptables.conf:23',
depth='3'<br>
[2021-04-07T11:52:21.163568] Module loaded and
initialized successfully; module='csvparser'<br>
[2021-04-07T11:52:21.164457] Finishing include;
content='block parser panos-parser() at
/usr/share/syslog-ng/include/scl/paloalto/panos.conf:29',
depth='3'<br>
[2021-04-07T11:52:21.164880] Module loaded and
initialized successfully; module='basicfuncs'<br>
[2021-04-07T11:52:21.164936] Finishing include;
content='block parser sudo-parser() at
/usr/share/syslog-ng/include/scl/sudo/sudo.conf:23',
depth='3'<br>
[2021-04-07T11:52:21.164995] Finishing include;
content='parser generator app-parser', depth='2'<br>
[2021-04-07T11:52:21.165016] Finishing include;
content='source generator system', depth='1'<br>
[2021-04-07T11:52:21.165525] Module loaded and
initialized successfully; module='syslogformat'<br>
[2021-04-07T11:52:21.165711] Module loaded and
initialized successfully; module='linux-kmsg-format'<br>
[2021-04-07T11:52:21.165966] Running application
hooks; hook='1'<br>
[2021-04-07T11:52:21.165971] Running application
hooks; hook='6'<br>
[2021-04-07T11:52:21.165984] syslog-ng starting up;
version='3.30.1'<br>
[2021-04-07T11:52:21.165989] Running application
hooks; hook='2'<br>
[2021-04-07T11:52:39.961046] Running application
hooks; hook='3'<br>
[2021-04-07T11:52:39.961090] syslog-ng shutting down;
version='3.30.1'<br>
[2021-04-07T11:52:40.061679] Running application
hooks; hook='4'<br>
-----------------------------------------------------------------------------<br>
</p>
<div>On 4/7/2021 4:51 AM, Balazs Scheidler wrote:<br>
</div>
<br>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div dir="ltr">
<div>can you start syslog-ng in the foreground and
look at the startup messages?</div>
<div><br>
</div>
<div>e.g. stop the background process (via systemd
or your init system), and run syslog-ng from a
root prompt:<br>
</div>
<div><br>
</div>
<div># /usr/sbin/syslog-ng -Fedv</div>
<div><br>
</div>
<div>This should start syslog-ng in the foreground
(-F), direct internal messages to stderr (-e), and
enable debug/verbose messages. Then look at the
messages to see if syslog-ng is complaining about
your configuration or not.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Bazsi<br>
</div>
<div><br>
</div>
</div>
<div> <br>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Apr 7,
2021 at 9:08 AM Dan Egli <a
href="mailto:dan@newideatest.site"
target="_blank" moz-do-not-send="true"><dan@newideatest.site></a>
wrote:<br>
</div>
<br>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div>
<p>Don't know how that slipped in there. And
syslog-ng never mentioned it. It's fixed now,
and the behavior is unchanged. sshd messages
still appear in /var/log/messages.</p>
<p><br>
</p>
<div>On 4/7/2021 12:55 AM, Balazs Scheidler
wrote:<br>
</div>
<br>
<blockquote type="cite" style="margin:0 0 0
.8ex; border-left:2px #729fcf
solid;padding-left:1ex">
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Wed, Apr 7, 2021, 08:06 Dan Egli <a
href="mailto:dan@newideatest.site"
target="_blank"
moz-do-not-send="true"><dan@newideatest.site></a>
wrote:<br>
</div>
<br>
<blockquote type="cite" style="margin:0
0 0 .8ex; border-left:2px #729fcf
solid;padding-left:1ex">
<div>No joy. I tried swapping it
different ways.<br>
<br>
filter -> source ->
destination = combined<br>
source -> filter ->
destination = combined<br>
<br>
Here's what my config looks like
now, after the second variant:<br>
<br>
@version: 3.30<br>
<br>
@include "scl.conf"<br>
<br>
options {<br>
threaded(yes);<br>
chain_hostnames(no);<br>
stats_freq(43200);<br>
mark_freq(3600);<br>
};<br>
<br>
source src { system(); internal();
};<br>
<br>
filter samba { program("samba"); };<br>
filter ssh_messages {
facility("AUTH") and level("INFO");
};<br>
filter syslog { not
filter("ssh_messages") and not
filter("samba"); };<br>
<br>
destination console {
file("/dev/tty12"); };<br>
destination messages {
file("/var/log/messages"); };<br>
destination sshd_log {
file("/var/log/sshd/sshd.log"); };<br>
destination smb_logs {
file("/var/log/samba/samba.log"); };<br>
<br>
log { source(src); filter(samba);
destination(smb_logs); flags(final);
);<br>
</div>
<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">You are using a closing
paren instead of a brace. This config has
a syntax error. Possibly syslog-ng falled
back to the original config, once it
reported a syntax error.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote"> <br>
<blockquote type="cite" style="margin:0
0 0 .8ex; border-left:2px #729fcf
solid;padding-left:1ex">
<div> log { source(src);
filter(ssh_messages);
destination(sshd_log); <br>
flags(final); };<br>
log { source(src); filter(syslog);
destination(console); };<br>
log { source(src); filter(syslog);
destination(messages); };<br>
<br>
<br>
Still, sshd messages are appearing
in /var/log/messages.<br>
<br>
On 4/6/2021 11:51 PM, Peter Kokai
(pkokai) wrote:<br>
> Hello,<br>
><br>
> The order in the configuration
matters.<br>
> log { source(src);
destination(console);
filter(syslog); };<br>
> The message flow is the
following in your example
source(src) ->
destination(console) ->
filter(syslog) -> void<br>
> The filter recieves messages
only after destination, if you
switch filter and destination it
should be fine.<br>
><br>
> --<br>
> kokan<br>
><br>
>
________________________________________<br>
> From: syslog-ng <<a
href="mailto:syslog-ng-bounces@lists.balabit.hu"
rel="noreferrer" target="_blank"
moz-do-not-send="true">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Dan Egli <a
href="mailto:dan@newideatest.site"
target="_blank"
moz-do-not-send="true"><dan@newideatest.site></a><br>
> Sent: 07 April 2021 07:17<br>
> To: <a
href="mailto:syslog-ng@lists.balabit.hu"
rel="noreferrer" target="_blank"
moz-do-not-send="true">syslog-ng@lists.balabit.hu</a><br>
> Subject: [syslog-ng] Syslog-ng
not honoring negative flag<br>
><br>
> CAUTION: This email originated
from outside of the organization. Do
not follow guidance, click links, or
open attachments unless you
recognize the sender and know the
content is safe.<br>
><br>
><br>
> I'm having a bit of a problem
and hope someone here can help. I'm
trying<br>
> to separate individual items
into specific logs, i.e. ssh events
in<br>
> sshd.log, samba messages in
samba.log, etc...<br>
><br>
> I managed to come up with
filters that pull out the events I
started<br>
> with, and they are going into
the correct log files. But they are
ALSO<br>
> going into /var/log/messages
even though I specifically have a
filter on<br>
> that one that says not to
include samba or sshd events. I'll
copy my<br>
> config file here. Hopefully
someone can tell me what I did
wrong.<br>
><br>
> Thanks!<br>
><br>
>
---------------------------------------------<br>
> @version: 3.30<br>
><br>
> @include "scl.conf"<br>
><br>
> options {<br>
> threaded(yes);<br>
> chain_hostnames(no);<br>
> stats_freq(43200);<br>
> mark_freq(3600);<br>
> };<br>
><br>
> source src { system();
internal(); };<br>
><br>
> filter samba {
program("samba"); };<br>
> filter ssh_messages {
facility("AUTH") and level("INFO");
};<br>
> filter syslog { not
filter("ssh_messages") and not
filter("samba"); };<br>
><br>
> destination console {
file("/dev/tty12"); };<br>
> destination messages {
file("/var/log/messages"); };<br>
> destination sshd_log {
file("/var/log/sshd/sshd.log"); };<br>
> destination smb_logs {
file("/var/log/samba/samba.log"); };<br>
><br>
> log { source(src);
destination(smb_logs);
filter(samba); flags(final); );<br>
> log { source(src);
destination(sshd_log);
filter(ssh_messages);<br>
> flags(final); };<br>
> log { source(src);
destination(console);
filter(syslog); };<br>
> log { source(src);
destination(messages);
filter(syslog); };<br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a
href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0</a><br>
> Documentation: <a
href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0</a><br>
> FAQ: <a
href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0</a><br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div>
<br>
</blockquote>
</div>
</div>
</div>
<div> <br>
<fieldset></fieldset>
</div>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</div>
<br>
</blockquote>
</div>
<div> <br clear="all">
<br>
-- <br>
</div>
<div dir="ltr">Bazsi</div>
</blockquote>
</div>
<div>______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div>
<br>
</blockquote>
</div>
<div> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</div>
<pre>______________________________________________________________________________</pre>
<pre>Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></pre>
<pre>Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a></pre>
<pre>FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a></pre>
<div>______________________________________________________________________________<br>
</div>
<div>Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
</div>
<div>Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
</div>
<div>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
</div>
<div><br>
</div>
</blockquote>
<div><br>
</div>
<div><span></span></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</blockquote>
</body>
</html>