I've also had problems with the "and not" filtering in syslog-ng. I ended up having to do a kind of a DeMorgan method and change the filtering around a little. I got it to do what I wanted but not quite the way I expected. filter f_messages { level(info..warn) and not facility(local2,kern,auth); }; The above didn't work the way I expected it should have. I ended up doing filter f_messages { level(info..warn) and facility(mail,news,etc..); }; This seemed to work ok. I'm not sure if syslog-ng is evaluating the "and not" construct the way you'd expect. Of course it may be that I just wasn't using it correctly as well. Drew
-----Original Message----- From: Balazs Scheidler [SMTP:bazsi@balabit.hu] Sent: Wednesday, April 05, 2000 5:08 PM To: syslog-ng@venus.terrasoft.hu Subject: Re: [syslog-ng] complex filtering
Im currently building our loghost syslog-ng conf file and encounter a
problem. How can I filter message so that only not-alredy-routed line will be routed/filtered again ?
For example, I am trying to send ssh line to a dedicated log file, since
sshd send its message to the deamon facility and that ( generic) daemon facility are send to a generic file, a given line appereas in both file and that waste my disk space :-).
I am trying to solve that by adding "and not filter(f_ssh)" in my dameon
filter but it does nothing ( not even syntax error message).
Is there any error ? Is there another way ?
Thanks for any help.
The filter way should work, if it doesn't, it's a bug. There's a feature you may use here. You can define default log statements:
log { source(src); filter(DEFAULT); destination(dst); };
This is a catchall statement, and should catch all messages which were not accepted any of the previous statements.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng