On Thu, Sep 25, 2014 at 11:31 AM, Pál, László <vlad@vlad.hu> wrote:

> You need both logpath. One is filtering out and other collecting remaining.
> Also the order of log statement is important

Vlad,
thank you for your reply.
I followed your tips but syslog-ng still logging...
What I miss in the config?
The actual is:

# cat /etc/syslog-ng/syslog-ng.conf
@version:3.2

options { check_hostname(yes);
keep_hostname(yes);
stats_freq(0);
chain_hostnames(no); };

source inputs { internal();
unix-stream("/dev/log");
udp();
tcp(max_connections(100)); };

destination logpile {
file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY"
owner(root) group(root) perm(0600)
create_dirs(yes) dir_perm(0700)); };

filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); };

log { source(inputs); filter(vmware_filter); flags(final); };
log { source(inputs); destination(logpile); };

Thanks,

-f
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq