On Wed, Dec 13, 2000 at 11:31:43AM -0500, jon@dumbo.pobox.com wrote:
i think it might be a better idea to do it one of these ways:
[snip] Interesting... My personal bent (based on my personal need, of course ;) is to have filter(DEFAULT) work with any other filter. So something like log { source(src); filter(host1); filter(kern); filter(DEFAULT); \ destination(host1-kern); }; ...would capture any kernel messages from host1 that haven't been captured by any other rule. That would really make my week :-) Interestingly enough, if you move filter(DEFAULT) to be the FIRST filter in a log rule, you get an error if there are any other filter()'s there. There is no error if it's anywhere else though...
On Wed, Dec 13, 2000 at 03:30:26PM +1000, Andrew Fort wrote: | > So it will have the opposite affect of what I wanted then... anything | > that matches host1 will set match=1 and DEFAULT won't match. Heh, | > somehow I find it amusing that my logic was completely backwards. Or | > maybe I'm up too late. :-) | | Correct :) Your rules have two filter statements, it's only the | | filter(host1); | | and not the filter(DEFAULT); which is causing any action.