On Mon, 2005-10-17 at 09:18 -0700, Nate Campi wrote:
On Mon, Oct 17, 2005 at 11:57:37AM -0400, Ed Ravin wrote:
But let's go one level deeper - why are the "operators" configuring syslog-ng.conf to write to /dev/null in the first place and thus making this error? It's because the sysadmins want to discard certain log entries. Why not facilitate that by making a special "discard" destination? Surely that has to more efficient than opening up /dev/null, possibly changing its permissions, and then writing data to it on a regular basis just to get thrown away.
When I permanently plan to ignore certain messages, I just don't log them:
filter f_not_pix { not match("%PIX"); };
log { source(local); filter(f_not_pix); destination(d_loghost_tcp); };
My "f_not_pix" just internally discards it. Your idea of using a special "discard" destination would help make syslog-ng config files more self-explanatory though, which IMO is a fantastic thing. Reading my configs I would have to use a final flag to show that the message isn't logged again, and missing that the reader would have to inspect the rest of the file to understand if anything else would be done with a particular event.
you can create a destination which has no drivers, e.g. this is valid and works as expected: destination d_null {}; log { source(s_local); destination(d_null); };
I normally only use /dev/null temporarily, when a firewall blocks a destination and I don't just want to leave syslog-ng trying to connect and overflowing the destination buffer for no reason. I modify the destination clause to use /dev/null for a bit.
you can comment out the tcp() destination driver in this case. -- Bazsi