Hello, Sorry for the long delay it took for me to answer your mesage, but I was out for a couple of weeks. First of all I would like you to note that syslog-ng version 1.0.x serves only as a proof of concept, and has several flaws I am trying to solve in the new 1.1.xx series. But the latter is not ready yet, as syslog-ng is completely rewritten. syslog-ng 1.0.x works stable as long as the config file is ok, but the parser is not the best one (it is from the original nsyslogd package, which syslog-ng was based on)
Im trying to replace syslog with syslog-ng at my site. Version 1.0.4, libc5 (rh42). Everything compiled fine, but i am having trouble getting the equivalent to this syslog line below to work:
*.info;mail.none;authpriv.none /var/log/messages
Here is what i tried:
source local { udp 0.0.0.0,514; unix-stream /dev/log; }; destination d_messages { file /var/log/messages; }; destination d_authpriv { file /var/log/secure; }; destination d_mail { file /var/log/maillog; }; filter f_mail { facility mail; }; filter f_authpriv { facility authpriv; }; filter f_mess { priority info; not facility mail; not facility authpriv; }; log { source local; filter f_mail; destination d_mail; }; log { source local; filter f_mess; destination d_messages; }; log { source local; filter f_authpriv; destination d_authpriv; };
When i generate messages for mail.notice, it goes to /var/log/messages *and* /var/log/maillog, and when i generate them for authpriv.notice, they go to /var/log/messages *and* to /var/log/secure, which is wrong (they are not supposed to go to /var/log/messages).
The strange thing is, if i try this filter line: filter f_mess { priority info; not facility mail; }; .. and generate messages for mail.notice, it goes (correctly) to only /var/log/maillog. Also, if i try this: filter f_mess { priority info; not facility authpriv; }; ... and generate messages for authpriv.notice, it goes (correctly) to only /var/log/authpriv.
So... if i put both together, it doesn't work, if i put each one separately, they do. Is this correct? Is there any other way i can use that syslog-type line?
this is obviously wrong. the only solution I can tell you is not to use several conditions in one filter line. you can use several log statements to merge two streams together. BTW: I plan to rework filter statements in 1.1.x to be more powerful. -- Bazsi