<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>IT was spelled wrong in the config file. I don't know how I
missed that. Thanks for pointing it out. I missed Fabien's
message. I've fixed the config and will let it run for a few hours
to test if that fixed everything.</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 4/13/2021 1:19 AM, Laszlo Szemere
(lszemere) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR19MB346545552723A027CD48CE779D4F9@DM6PR19MB3465.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
Hello Dan,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
Just before the list went down <span style="color:rgb(50, 49,
48);font-family:"Segoe UI", "Segoe UI Web (West
European)", "Segoe UI", -apple-system,
BlinkMacSystemFont, Roboto, "Helvetica Neue",
sans-serif;font-size:14px;background-color:rgb(255, 255,
255);display:inline !important">
Fabien Wernli</span><span style="color:rgb(50, 49,
48);font-family:"Segoe UI", "Segoe UI Web (West
European)", "Segoe UI", -apple-system,
BlinkMacSystemFont, Roboto, "Helvetica Neue",
sans-serif;font-size:14px;background-color:rgb(255, 255,
255);display:inline !important"><span> </span><a class="moz-txt-link-rfc2396E" href="mailto:wernli@in2p3.fr"><wernli@in2p3.fr></a> </span>replied
to your message, pointing out that the "sshd" program name was
misspelled in your configuration to "ss<b>d</b>hd". Can you
check please, if that was only a typo in your email to the list,
or your original configuration is affected too?</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
Br,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
Laci</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng-bounces@lists.balabit.hu"><syslog-ng-bounces@lists.balabit.hu></a> on behalf
of Dan Egli <a class="moz-txt-link-rfc2396E" href="mailto:dan@newideatest.site"><dan@newideatest.site></a><br>
<b>Sent:</b> Tuesday, April 13, 2021 09:14<br>
<b>To:</b> Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> [syslog-ng] Try again: What's wrong with my
config?</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%;
border-style:solid; border-color:#9C6500; border-width:1pt;
padding:2pt; font-size:10pt; line-height:12pt;
font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span>
This email originated from outside of the organization. Do not
follow guidance, click links, or open attachments unless you
recognize the sender and know the content is safe.</div>
<br>
<div>
<div class="x_moz-text-html" lang="x-unicode">
<p>Okay. I'm completely stumped on this, and just before the
list went down I was hoping someone could help me with
this.
<br>
</p>
<p>I'm trying to break everything out of the monolithic
/var/log/messages and place each service in it's own log
file. To that extent, I created the following config file:</p>
</div>
<p>syslog-ng config: </p>
<pre>@version: 3.30
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source src { system(); internal(); };
filter samba { program("samba") or program("nmbd") or program("smbd"); };
filter sshd { program("ssdhd"); };
filter syslog { not filter(sshd) and not filter(samba); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(sshd); destination(sshd_log); flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };
so, as I understand the logic. The three log { } lines do this:
log { source(src); filter(sshd); destination(sshd_log); flags(final); }; Anything from sshd gets written to the /var/log/sshd/sshd.log. Nothing else goes here.
log { source(src); filter(syslog); destination(console); }; Anything that is not from sshd, not from smbd, not from sabma and not from nmbd goes to the /dev/tty12 device
log { source(src); filter(syslog); destination(messages); }; likewises for /var/log/messages.
Is my understanding correct? If so, WHY do I see ssh log entries in /var/log/messages? And how do I stop it!? sshd messages should ONLY show up in /etc/sshd/sshd.log.
jupiter ~ # grep sshd /var/log/messages | head -n 2
Apr 13 00:00:50 jupiter sshd[14721]: Received disconnect from <IP> port 18726:11: [preauth]
Apr 13 00:00:50 jupiter sshd[14721]: Disconnected from <IP> port 18726 [preauth]
Thanks!
</pre>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>