On 2015-01-15 01:22 PM, James Lay wrote:
Hey all,
Here's what I have...one source:
source s_local { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); file("/proc/kmsg"); };
three destinations: destination d_file { file("/var/log/messages"); }; destination d_syslogserver { udp ("x.x.x.x", port(514)); }; destination d_logontype { udp ("x.x.x.x", port(515)); };
and a few filters: filter f_syslogfilter { message("0x0004") };
filter f_firewall { program("firewall") };
filter f_logontype { message("Logon") };
With the below log entry running with -F -d, I will only get the first 2 of the three filters evaluated: log { source(s_local); filter(f_syslogfilter); destination(d_file); filter(f_firewall); destination(d_syslogserver); filter(f_logontype); destination(d_logontype); };
but after splitting them out I see all three evaluated:
log { source(s_local); filter(f_syslogfilter); destination(d_file); };
log { source(s_local); filter(f_firewall); destination(d_syslogserver); };
log { source(s_local); filter(f_logontype10); destination(d_logontype10); };
Is there a reason or limit or documentation for this? I can verify that the log entry passed for "Logon" in my testing didn't match the previous two filters. Version is 3.3.11. Thank you.
James
So more on this...in my production environment, the above splitting the log entries didn't log anything after I put it in place. Does anyone have any pointers for a single source, with multiple filters and destinations? Thank you. James