So they have to match all of the filters? I want all of the messages from 4 or 5 devices to go to one log file. I created a filter for each using the netmask filter. I then used listed each of those filter commands in the log statement... It seems that if I add multiple netmask() statements to a single filter is doesn't work. If I had multiple filter() statements (with a single device each) to a log statement it doesn't work... The following is what my final config was before I decided to blow it away and attack the issue at a much smaller scale (two log files, one filter, etc. - which is why I now believe the above): options { chain_hostnames (no); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); owner(syslog); group(syslog); perm(0660); dir_owner(syslog); dir_group(syslog); dir_perm(0660); time_reap(300); }; source s_cron { unix-dgram("/dev/cron"); internal(); }; source s_snmp { unix-dgram("/dev/snmp"); internal(); }; source s_sys { unix-dgram("/dev/log"); internal(); }; source s_udp { udp(ip("0.0.0.0") port(514)); }; source s_udp_s { udp(ip("0.0.0.0") port(601)); }; source s_tcp { tcp(ip("0.0.0.0") port(601)); }; source s_tcp1 { tcp(ip("0.0.0.0") port(1026)); }; source s_tcp2 { tcp(ip("0.0.0.0") port(5140)); }; destination d_cons { file("/data/logs/console.log"); }; destination d_mesg { file("/data/logs/syslog.log"); }; destination d_mail { file("/data/logs/mail.log"); }; destination d_mlrt { usertty("root"); }; destination d_mlal { usertty("*"); }; destination allmessages { file("/data/logs/$YEAR$MONTH$DAY.allmessages.log"); }; destination netmessages { file("/data/logs/$YEAR$MONTH$DAY.netmessages.log"); }; destination d_vpn { file("/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log"); }; destination d_switch { file("/data/logs/switch/$YEAR$MONTH$DAY.switch.log"); }; destination d_router { file("/data/logs/router/$YEAR$MONTH$DAY.router.log"); }; destination d_pixen { file("/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log"); }; destination d_ids { file("/data/logs/ids/$YEAR$MONTH$DAY.ids.log"); }; destination vpn_pipe { pipe("/data/pipes/vpn_pipe"); }; # destination net_pipe { pipe("/data/pipes/net_pipe"); }; destination fire_pipe { pipe("/data/pipes/fire_pipe"); }; filter f_filter1 { facility(mail) and level(debug); }; filter f_filter2 { (facility(mail) and level(debug)) or level(info); }; filter f_filter3 { level(alert); }; filter f_filter4 { level(emerg); }; filter f_vpn { netmask(1.1.1.5/255.255.255.255) and netmask(1.1.1.6/255.255.255.255) and netmask(1.1.1.2/255.255.255.255); }; filter f_fire { netmask(1.1.1.2/255.255.255.255) and netmask(1.1.1.10/255.255.255.255) and netmask(1.1.1 .10/255.255.255.255) and netmask(1.1.1.212/255.255.255.255); }; log { source(s_sys); filter(f_filter1); destination(d_mail); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_cons); destination(d_mlrt); }; log { source(s_sys); filter(f_filter4); destination(d_mlal); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter(f_vpn); destination(vpn_pipe); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter (f_fire); destination(fire_pipe); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter(f_vpn); destination(d_vpn); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter (f_fire); destination(d_pixen); }; log { source(s_sys); source(s_cron); source(s_snmp); destination (allmessages); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(netmessages); }; On 9/27/06, Sandor Geller <wildy@balabit.hu> wrote:
It is syntactically correct. However, nobody can answer your question properly (you are using the filter named f_fire which wasn't in your previous posts, so I have to assume that you have modified your configuration).
Without knowing your current configuration I can only answer like this: if a message comes from your any of the sources and matches all of the filters then it will be logged through the destinations.