Hi,
Im new to syslogng
and want to replace the normal syslogd in solaris with -ng because of the
filters.
I run postfix on 2
loadbalanced machines and i want to get rid of the healthchecks log
entries.
I setup a conf file
that looks like this:
options {
long_hostnames(off);
# doesn't actually help on
Solaris, log(3) truncates at 1024
chars
log_msg_size(8192);
# buffer just a little for
performance
sync(1);
# memory is cheap, buffer
messages unable to write (like to
loghost)
log_fifo_size(2048);
# The time to wait before a
dead connection is reestablished
(seconds)
time_reopen(10);
};
###############################################################
source
src {
sun-stream("/dev/log"
door("/etc/.syslog_door"));
internal();
};
###############################################################
destination
alteon {
file("/var/log/alteon");
};
destination notalteon {
file("/var/log/notalteon");
};
destination ipf
{
file("/var/log/ipf.log");
};
###############################################################
filter
f_mail {
facility(mail);
};
filter f_not_mail {
not
facility(mail);
};
filter f_ipf
{
facility(local0);
};
filter f_alteon
{
match("10.155.68.2") or
match("10.155.68.3");
};
filter f_notalteon
{
not match("10.155.68.2") or not
match("10.155.68.3");
};
###############################################################
log
{
source(src);
filter(f_alteon);
destination(alteon);
};
log
{
source(src);
filter(f_notalteon);
destination(notalteon);
};
log
{
source(src);
filter(f_ipf);
destination(ipf);
};
According to this i
should log everything that contains 10.155.68.2 or .3 to /var/log/alteon and if
it doesnt contain .2 or .3 to /var/log/notalteon and it will also send the ip
filter logs to its own log (which works).
It seems that
f_alteon och f_ipf works. But f_notalteon logs both stuff that does contain .2
and .3 and stuff that doesnt contain .2 and .3
What have i
missed?
//
Kenneth