Re: [syslog-ng] Re : flags(final)

28 Oct 2009

      I've upgraded from syslog-ng 2.1.4 to 3.0.4, in case flags(final) was 
somehow broken in that version.  The upgrade has made no difference: 
flags(final) still appears to have no effect.

I am attempting to shunt all entries containing FWNAT into a separate 
file (network-address-translation), and keep them out of the default 
destination (default).  The configuration, below, writes the entries to 
both, despite the presence of flags(final) in a prior log{} statement.

My understanding based on reading the documentation and various sample 
configurations is that flags(final) in one log{} statement should 
preclude the log entry in question from going to any subsequent log{} 
statement.  Am I misunderstanding how flags(final) works, or should I 
submit a bug report?  If I'm misunderstanding, please let me know if 
there is a way to get the behavior I'm describing.

Thanks,
MJB

My syslog-ng 3-ified configuration:

@version:3.0

options {
        flush_lines (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source s_sys {
        file ("/proc/kmsg" program_override("kernel"));
        unix-stream ("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};

destination d_network_address_translation {
        file("/var/log/network-address-translation"
                flush_lines(10)
                flush_timeout(1000));
};

destination d_default {
        file("/var/log/default"
                flush_lines(10)
                flush_timeout(1000));
};

filter f_network_address_translation {
        host("hlgn-crtr-01-service") and
        priority(info) and
        facility(local2) and
        match("FWNAT");
};

log {
        source(s_sys);
        filter(f_network_address_translation);
        destination(d_network_address_translation);
        flags(final);
};

log {
        source(s_sys);
        destination(d_default);
};

Michael J. Bauer wrote:
...
That flags(final) is in fact part of the log{} line.  The destination() 
is also part of the log{} line, and appears on a line of its own because 
of line wrap.  The log{} line is, in one line (and hoping to avoid wrap):
log { source(s_sys); filter(f_network_address_translation); 
destination(d_network_address_translation); flags(final); };
The terminating }; is after flags(final);.  Neither of the real 
destination{} lines contain flags(final).
MJB
srainville@videotron.ca wrote:
...
The flags(final) goes at the end of the log statement, not the 
destination.
Cheers,
Steve
----- Message d'origine -----
De: "Michael J. Bauer" <mjbauer@eecs.tufts.edu>
Date: Jeudi, 24 Septembre 2009, 23:00
Objet: [syslog-ng] flags(final)
À: syslog-ng@lists.balabit.hu
...
I think I am misunderstanding what flags(final) is supposed to
do.  I'm
running syslog-ng 2.1.4 on RHEL 5.4 (Tikanga).
I have a fairly simple syslog-ng configuration, which I've
attached
below.  I'm trying to pick off individual groups of log
entries and put
them in their own individual files.  I want to ensure that
each gets
logged exactly once, so I'm using flags(final).  I also
have a catch-all
at the end in case I've missed something, but the ultimate goal
is to
have that file present, but empty.
However, with this configuration, the log entries that appear in
d_network_address_translation (/var/log/network-address-
translation)
also appear in d_default (/var/log/default) despite the presence
of
flags(final) on an earlier log() line.  Should it work this
way?  If so,
what can I do to get the desired behavior?
Thanks,
MJB
options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};
source s_sys {
        file ("/proc/kmsg"
log_prefix("kernel: "));
        unix-stream ("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};
destination
d_network_address_translation              {
file("/var/log/network-address-translation"); };
destination
d_default          { file("/var/log/default"); };
filter f_network_address_translation { host("router-service-
interface") and
                                       priority(info) and
                                       facility(local2) and
                                       match("FWNAT"); };
log { source(s_sys);
      filter(f_network_address_translation);
destination(d_network_address_translation);      flags(final); };
log { source(s_sys);
      destination(d_default); };
______________________________________________________________________________
...
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html