<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hello Dan,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Just before the list went down <span style="color:rgb(50, 49, 48);font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important">
Fabien Wernli</span><span style="color:rgb(50, 49, 48);font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;font-size:14px;background-color:rgb(255, 255, 255);display:inline !important"><span> </span><wernli@in2p3.fr> </span>replied
to your message, pointing out that the "sshd" program name was misspelled in your configuration to "ss<b>d</b>hd". Can you check please, if that was only a typo in your email to the list, or your original configuration is affected too?</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Br,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Laci</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site><br>
<b>Sent:</b> Tuesday, April 13, 2021 09:14<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] Try again: What's wrong with my config?</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div class="x_moz-text-html" lang="x-unicode">
<p>Okay. I'm completely stumped on this, and just before the list went down I was hoping someone could help me with this.
<br>
</p>
<p>I'm trying to break everything out of the monolithic /var/log/messages and place each service in it's own log file. To that extent, I created the following config file:</p>
</div>
<p>syslog-ng config: </p>
<pre>@version: 3.30
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source src { system(); internal(); };
filter samba { program("samba") or program("nmbd") or program("smbd"); };
filter sshd { program("ssdhd"); };
filter syslog { not filter(sshd) and not filter(samba); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(sshd); destination(sshd_log); flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };
so, as I understand the logic. The three log { } lines do this:
log { source(src); filter(sshd); destination(sshd_log); flags(final); }; Anything from sshd gets written to the /var/log/sshd/sshd.log. Nothing else goes here.
log { source(src); filter(syslog); destination(console); }; Anything that is not from sshd, not from smbd, not from sabma and not from nmbd goes to the /dev/tty12 device
log { source(src); filter(syslog); destination(messages); }; likewises for /var/log/messages.
Is my understanding correct? If so, WHY do I see ssh log entries in /var/log/messages? And how do I stop it!? sshd messages should ONLY show up in /etc/sshd/sshd.log.
jupiter ~ # grep sshd /var/log/messages | head -n 2
Apr 13 00:00:50 jupiter sshd[14721]: Received disconnect from <IP> port 18726:11: [preauth]
Apr 13 00:00:50 jupiter sshd[14721]: Disconnected from <IP> port 18726 [preauth]
Thanks!
</pre>
<p></p>
</div>
</div>
</body>
</html>