Thanks, that explains a lot.  I was having both of those issues yesterday.  Everything was going to /dev/null, not just the messages I assumed were being accepted by the first log path.  I see why now.  Also, when I was trying to use embedded log paths instead of if/else everything was being accepted by the top-level log path regardless.   The messages going to /dev/null are just some firewall messages that we are not concerned with and that would fill up our disk space very quickly if they aren’t filtered out.

 

-Mark

 

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Péter, Kókai
Sent: Wednesday, March 27, 2019 1:58 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Filtering out messages before any other action

 

Hello,

 

Without the other part - where you do not expect the message to be received, and its connection to this logpath it is kinda hard to say much.

 

Logpath on the same level:

log {

  filter { message("boo"); };

 

  flags(final);

};

 

log {

   flags(final);

};

 

In this case if the first logpath "accepts" the message ( filter matches in this example ), the other logpath never going to see the message. Otherwise it will.

 

But if you use *if* in the first logpath:

 

log {

  if {

  filter { message("boo"); };

  };

 

  flags(final);

};

 

It does not matter if the *filter* matches or not, as either way the logpath "accepts" the log, so other logpath (not speaking about embedded logapths) won't see the message.

 

If you use embedded logpath:

 


log {

  if {

  filter { message("boo"); };

  };

 

  log {

     #inner path

  };

 

  flags(final);

};

 

Despite the result of the previous *if* the inner logpath is going to get the message.

 

 

Do you have a specific use case to *drop* the message via writing it into "/dev/null" ?

 

--

Kokan

 

On Tue, Mar 26, 2019 at 2:14 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> wrote:

I have the following as the first log path in my configuration, however, My  understanding is that this should match any message with the text 'type=traffic' AND any of the listed policyid=## or a message with the text 'action=timeout'.  Flags(final) indicates that it should not be further processed by any other log path.  However, I'm still seeing messages that should be discarded, am I doing something wrong? 

log {
  if {
    filter { message('type=traffic') };
    filter {
      (
        message('policyid=35 ')      or
        message('policyid=37 ')      or
        message('policyid=38 ')      or
        message('policyid=40_D ')    or
        message('policyid=5 ')       or
        message('policyid=10 ')      or
        message('policyid=12 ')      or
        message('policyid=50 ')      or
        message('policyid=3 ')       or
        message('action=timeout ')     
      )
    };
    destination {
      file("/dev/null");
    };
  };
  flags(final);
};

Thanks,
-Mark
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq