You need both logpath. One is filtering out and other collecting remaining. Also the order of log statement is important This is how I filtered out some annoying qemu bug :)) filter f_qemu_bug {match("kernel" value("PROGRAM")); and match("unable to execute QEMU command \'qom-get\'" value("MESSAGE")); }; filter f_variety_bug {match("kernel" value("PROGRAM")); and match("Failed to set the background" value("MESSAGE")); }; #get rid of qemu bug log { source(s_local); filter(f_qemu_bug); flags(final); }; #get rid of variety bug log { source(s_local); filter(f_variety_bug); flags(final); }; #separate firewall log log { source(s_local); filter(f_iptables); destination(d_firewall); flags(final); }; #remaining log { source(s_local); destination(d_messages); }; Vlad On 24 September 2014 12:48, fRANz <andrea.francesconi@gmail.com> wrote:
Hello guys, I'm trying to config syslog-ng to ignore and don't log some strings. I'm using syslog-ng-3.2.5-4.el6.x86_64 on a CentOS 6.5: the config is pretty simple:
# cat /etc/syslog-ng/syslog-ng.conf @version:3.2
options { check_hostname(yes); keep_hostname(yes); stats_freq(0); chain_hostnames(no); };
source inputs { internal(); unix-stream("/dev/log"); udp(); tcp(max_connections(100)); };
destination logpile { file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) create_dirs(yes) dir_perm(0700)); };
#filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); }; #filter vmware_filter { message("Section for VMware ESX"); }; filter vmware_filter { not message("Section for VMware ESX"); };
#log { source(inputs); filter(vmware_filter); flags(final); }; #log { source(inputs); destination(logpile); }; log { source(inputs); filter(vmware_filter); destination(logpile); };
but I cannot find the right key. Wha'ts wrong in this config? You can see old configuration applied. Thanks for any tip. -f
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq