You have set your filter on the syslog facility, and the crond program uses different facilities to log different information, such as the auth facility to log session open/close for the user that the cron started process belongs to. try using filters of filter f_cron { program(crond); }; filter f_messages { not program(crond); }; and see how that works for you. Evan. liuruihong wrote:
I use the syslog-ng to receive remote log,
The syslog-ng is running under linux ,the remote client is sending log by syslog,
and the syslog-ng configure fie is as follows:
options { use_dns(yes); create_dirs(yes); }; source src { udp(ip(0.0.0.0) port(514)); }; filter f_cron { facility(cron); }; filter f_messages { not facility(cron); }; destination messages { file("/home/liuruihong/syslog-ng/log/$HOST/$YEAR/messages-$MONTH"); }; destination cron { file("/home/liuruihong/syslog-ng/log/$HOST/$YEAR/cron-$MONTH"); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_messages); destination(messages); };
but the log files "messages-$MONTH" still include the crond information,
I don't know why?
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html