Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages. On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan Egli <dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ______________________________________________________________________________ > Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> > ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq