Hi, In this use-case I would recommend using the "final" flag, e.g. you do this: log { source(sys); filter(f_cyrus); destination(cyrus); flags(final); }; log { source(sys); filter(f_mesgs); destination(mesg); }; And then, the mesg destination will only receive messages that: 1) cyrus related log statement didn't match 2) and it matches f_mesgs With this structure you only have to add new log statements (in proper order though) and don't have to change the "catch-all" log statement at the end. It also performs much better and the configuration is more readable. Bazsi On Wed, Mar 6, 2019 at 3:01 PM Sergey <a_s_y@sama.ru> wrote:
On Wednesday 06 March 2019, you wrote:
Could you share your use case, where you wanted to "replace" log blocks?
My use case is the reducing /var/log/messages when new software installed. This can be implemented through the filter override but not so visual.
For example a base config:
== ... filter f_mesgs { level(info) and not facility(mail,authpriv); }; destination mesg { file("/var/log/syslog/messages"); };
log { source(sys); filter(f_mesgs); destination(mesg); }; ... @include "/etc/syslog-ng/conf.d/*.conf" ==
Then I install Cyrus-IMAP for example.
== conf.d/cyrus-imap.conf == ... filter f_cyrus { match("cyrus/"); }; filter f_not_cyrus { not match("cyrus/"); }; ... log { source(sys); filter(f_cyrus); destination(cyrus); }; ==
But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition. I can redifine f_mesgs:
filter f_mesgs { level(info) and not facility(mail,authpriv) and not match("cyrus/"); };
But the log override is more succinctly:
log { source(sys); filter(f_mesgs); filter (f_not_cyrus); destination(mesg); };
In this example, the "f_not_cyrus" filter is simple but they can be more complex. The "f_mesg" filter can be difficult to read in the result.
-- Regards, Sergey
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq