<div dir="ltr"><div>can you start syslog-ng in the foreground and look at the startup messages?</div><div><br></div><div>e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:<br></div><div><br></div><div># /usr/sbin/syslog-ng -Fedv</div><div><br></div><div>This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.</div><div><br></div><div>Cheers,</div><div>Bazsi<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Don't know how that slipped in there. And syslog-ng never
mentioned it. It's fixed now, and the behavior is unchanged. sshd
messages still appear in /var/log/messages.</p>
<p><br>
</p>
<div>On 4/7/2021 12:55 AM, Balazs Scheidler
wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Apr 7, 2021, 08:06
Dan Egli <a href="mailto:dan@newideatest.site" target="_blank"><dan@newideatest.site></a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">No joy.
I tried swapping it different ways.<br>
<br>
filter -> source -> destination = combined<br>
source -> filter -> destination = combined<br>
<br>
Here's what my config looks like now, after the second
variant:<br>
<br>
@version: 3.30<br>
<br>
@include "scl.conf"<br>
<br>
options {<br>
threaded(yes);<br>
chain_hostnames(no);<br>
stats_freq(43200);<br>
mark_freq(3600);<br>
};<br>
<br>
source src { system(); internal(); };<br>
<br>
filter samba { program("samba"); };<br>
filter ssh_messages { facility("AUTH") and level("INFO");
};<br>
filter syslog { not filter("ssh_messages") and not
filter("samba"); };<br>
<br>
destination console { file("/dev/tty12"); };<br>
destination messages { file("/var/log/messages"); };<br>
destination sshd_log { file("/var/log/sshd/sshd.log"); };<br>
destination smb_logs { file("/var/log/samba/samba.log");
};<br>
<br>
log { source(src); filter(samba); destination(smb_logs);
flags(final); );<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">You are using a closing paren instead of a
brace. This config has a syntax error. Possibly syslog-ng
falled back to the original config, once it reported a syntax
error.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
log { source(src); filter(ssh_messages);
destination(sshd_log); <br>
flags(final); };<br>
log { source(src); filter(syslog); destination(console);
};<br>
log { source(src); filter(syslog); destination(messages);
};<br>
<br>
<br>
Still, sshd messages are appearing in /var/log/messages.<br>
<br>
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:<br>
> Hello,<br>
><br>
> The order in the configuration matters.<br>
> log { source(src); destination(console);
filter(syslog); };<br>
> The message flow is the following in your example
source(src) -> destination(console) ->
filter(syslog) -> void<br>
> The filter recieves messages only after destination,
if you switch filter and destination it should be fine.<br>
><br>
> --<br>
> kokan<br>
><br>
> ________________________________________<br>
> From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Dan Egli <a href="mailto:dan@newideatest.site" target="_blank"><dan@newideatest.site></a><br>
> Sent: 07 April 2021 07:17<br>
> To: <a href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng@lists.balabit.hu</a><br>
> Subject: [syslog-ng] Syslog-ng not honoring negative
flag<br>
><br>
> CAUTION: This email originated from outside of the
organization. Do not follow guidance, click links, or open
attachments unless you recognize the sender and know the
content is safe.<br>
><br>
><br>
> I'm having a bit of a problem and hope someone here
can help. I'm trying<br>
> to separate individual items into specific logs, i.e.
ssh events in<br>
> sshd.log, samba messages in samba.log, etc...<br>
><br>
> I managed to come up with filters that pull out the
events I started<br>
> with, and they are going into the correct log files.
But they are ALSO<br>
> going into /var/log/messages even though I
specifically have a filter on<br>
> that one that says not to include samba or sshd
events. I'll copy my<br>
> config file here. Hopefully someone can tell me what
I did wrong.<br>
><br>
> Thanks!<br>
><br>
> ---------------------------------------------<br>
> @version: 3.30<br>
><br>
> @include "scl.conf"<br>
><br>
> options {<br>
> threaded(yes);<br>
> chain_hostnames(no);<br>
> stats_freq(43200);<br>
> mark_freq(3600);<br>
> };<br>
><br>
> source src { system(); internal(); };<br>
><br>
> filter samba { program("samba"); };<br>
> filter ssh_messages { facility("AUTH") and
level("INFO"); };<br>
> filter syslog { not filter("ssh_messages") and not
filter("samba"); };<br>
><br>
> destination console { file("/dev/tty12"); };<br>
> destination messages { file("/var/log/messages"); };<br>
> destination sshd_log {
file("/var/log/sshd/sshd.log"); };<br>
> destination smb_logs {
file("/var/log/samba/samba.log"); };<br>
><br>
> log { source(src); destination(smb_logs);
filter(samba); flags(final); );<br>
> log { source(src); destination(sshd_log);
filter(ssh_messages);<br>
> flags(final); };<br>
> log { source(src); destination(console);
filter(syslog); };<br>
> log { source(src); destination(messages);
filter(syslog); };<br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0" rel="noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0</a><br>
> Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0" rel="noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0</a><br>
> FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0" rel="noreferrer noreferrer" target="_blank">https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0</a><br>
><br>
>
______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">Bazsi</div>