syslog.local7 is a reference mnemonic of mine, sorry. It refers to the local7 facility in syslog. And by saying the not should be lowercase that fixed everything. I don't know why the examples show it in uppercase, but thank you very much!

On 12/15/2020 11:09 PM, Balazs Scheidler wrote:


On Wed, Dec 16, 2020, 06:04 Dan Egli <dan@newideatest.site> wrote:
Help me understand this, please?  I have ISC dhcpd configured to log to
syslog.local7 (since I don't see an option to force it into it's own log
file).

Hmm syslog.local7 doesn't seem to be a facility.severity pair.

Both syslog and localX are facility codes, so either syslog or localX.

Syslog is normally reserved for the syslog subsystem, so I wouldn't use that for dhcpd.

Also, logging and filtering based on facility codes alone is not really flexible, as facility codes were not kept up with changes of the underlying system. There are dedicated codes for legacy stuff like "news" which people rarely use, but lack newer stuff like kafka or docker.

So in most cases, I see people use the PROGRAM field, or even the IP address of devices to classify log messages.

Still, in your use case the current set of facility codes could be just fine.

So I went into my syslog-ng file and created two filters, just
like on the example page of syslog-ng.com:

filter dhcpmsgs { facility(23) );

This would filter on facility code 23, each facility is mapped to a numeric code, I can't remember what is 23, but you can check rfc3164 for the exact assignment. 

filter non_dhcp { NOT filter(dhcpmsgs) );

Negation should be lower case, e.g. "not"
The closing paren should be a closing brace (e.g. "}")



I quoted almost directly from the example page on syslog-ng.com, but I
keep getting this error when I reload syslog-ng's config:
Error parsing filter expression, filter plugin NOT not found OR you may
not used double quotes in your filter expression in
/etc/syslog-ng/syslog-ng.conf:25:18-25:21:

What did I do wrong? Here's the lines I modified from the syslog-ng page:
filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
filter inverted_demo_filter { NOT filter(demo_filter) }

You can see the page at:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53


--
Dan Egli
 From my Test Server

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


-- 
Dan Egli
>From my Test Server