RE: [syslog-ng] Ver 1.9.5 problems with facility/level filtering
On Mon, Sep 26, 2005 at 12:30:23PM -0600, Marvin.Nipper@Stream.com wrote:
So. I'm looking for any input as to what might be a potential root problem. Obviously, there are a whole set of different pre-req components for the 1.9.5 world. I'm not sure if I'm dealing with some compatibility problem amongst the component versions that I've selected(?), or if the problem lies elsewhere.
There's no obvious cause going by your description, but maybe if we saw your config we'd notice something. Please post your complete config file, if you don't mind.
Thanks. -- Nate
Here's my current configuration: options { dir_perm(0755); perm(0600); chain_hostnames(no); keep_hostname(yes); log_fifo_size(1000); }; # Catch everything coming from other sysloggers source any_udp { udp(); }; # Pipe used by SEC (Simple Event Correlation) destination SEC {pipe("/tmp/sec"); }; # Various segregated logging files destination routers_log { file("/var/adm/log/routers.log" create_dirs(yes)); }; destination ravlin_log { file("/var/adm/log/ravlin.log" create_dirs(yes)); }; destination windows_log { file("/var/adm/log/windows.log" create_dirs(yes)); }; destination catch-all_log { file("/var/adm/log/catch-all.log" create_dirs(yes)); }; destination test { file("/var/adm/log/test.log" create_dirs(yes)); }; # Some place to dump noise destination dev_null { file("/dev/null" ); }; ######## Logging commands ############# # Send a copy of everything to SEC #log { source(any_udp); destination(SEC); }; # syslog.info /var/adm/log/windows.log filter f_4 { facility(syslog) and level(info..emerg); }; log { source(any_udp); filter(f_4); destination(windows_log); flags(final); }; # local5.debug /var/adm/log/routers.log filter f_1 { facility(local5) and level(debug..emerg); }; log { source(any_udp); filter(f_1); destination(routers_log); flags(final); }; # Kill SonicWall Noise first filter SonicWallNoise { match("id=firewall") and filter(SonicWallMsgs); }; filter SonicWallMsgs { match("m=97") or match("m=98") or match("m=537"); }; log { source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(fina l); }; # local0.debug /var/adm/log/ravlin.log filter f_3 { facility(local0) and level(debug..emerg); }; log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); }; # (catch all) /var/adm/log/catch-all.log log { source(any_udp); destination(catch-all_log); flags(final); }; Again, this configuration works just fine with my 1.6.8 compilation. Output is properly distributed to all of the listed files. With my 1.9.5 compilation, the final (unfiltered) file gets everything. In short, I know that the inbound syslog packets are fine (i.e. that they have the correct facility/level information), or 1.6.8 would be broken as well. THANKS for any and all help! Marvin
I too have experienced this problem and decided to investigate the source code. Unless I'm missing something, it appears that 1.9.5 simply does not set the correct variable internally, regardless of configuration. The following patch solved the problem for me: --- /home/pnahas/syslog-ng-1.9.5/src/filter.c 2005-01-05 06:40:50.000000000 -0500 +++ filter.c 2005-09-30 16:23:29.000000000 -0400 @@ -162,6 +162,7 @@ { FilterPri *self = g_new0(FilterPri, 1); + self->valid = facilities; self->super.eval = filter_facility_eval; return &self->super; } @@ -180,6 +181,7 @@ { FilterPri *self = g_new0(FilterPri, 1); + self->valid = levels; self->super.eval = filter_level_eval; return &self->super; } Hope that helps! -Peter Nahas Marvin.Nipper@Stream.com wrote:
On Mon, Sep 26, 2005 at 12:30:23PM -0600, Marvin.Nipper@Stream.com wrote:
So. I'm looking for any input as to what might be a potential root problem. Obviously, there are a whole set of different pre-req
components
for the 1.9.5 world. I'm not sure if I'm dealing with some
compatibility
problem amongst the component versions that I've selected(?), or if the problem lies elsewhere.
There's no obvious cause going by your description, but maybe if we saw your config we'd notice something. Please post your complete config file, if you don't mind.
Thanks. -- Nate
Here's my current configuration: options { dir_perm(0755); perm(0600); chain_hostnames(no); keep_hostname(yes); log_fifo_size(1000); };
# Catch everything coming from other sysloggers source any_udp { udp(); };
# Pipe used by SEC (Simple Event Correlation) destination SEC {pipe("/tmp/sec"); };
# Various segregated logging files destination routers_log { file("/var/adm/log/routers.log" create_dirs(yes)); };
destination ravlin_log { file("/var/adm/log/ravlin.log" create_dirs(yes)); };
destination windows_log { file("/var/adm/log/windows.log" create_dirs(yes)); };
destination catch-all_log { file("/var/adm/log/catch-all.log" create_dirs(yes)); };
destination test { file("/var/adm/log/test.log" create_dirs(yes)); };
# Some place to dump noise destination dev_null { file("/dev/null" ); };
######## Logging commands #############
# Send a copy of everything to SEC #log { source(any_udp); destination(SEC); };
# syslog.info /var/adm/log/windows.log filter f_4 { facility(syslog) and level(info..emerg); }; log { source(any_udp); filter(f_4); destination(windows_log); flags(final); };
# local5.debug /var/adm/log/routers.log filter f_1 { facility(local5) and level(debug..emerg); }; log { source(any_udp); filter(f_1); destination(routers_log); flags(final); };
# Kill SonicWall Noise first filter SonicWallNoise { match("id=firewall") and filter(SonicWallMsgs); }; filter SonicWallMsgs { match("m=97") or match("m=98") or match("m=537"); }; log { source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(fina l); };
# local0.debug /var/adm/log/ravlin.log filter f_3 { facility(local0) and level(debug..emerg); }; log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };
# (catch all) /var/adm/log/catch-all.log log { source(any_udp); destination(catch-all_log); flags(final); };
Again, this configuration works just fine with my 1.6.8 compilation. Output is properly distributed to all of the listed files. With my 1.9.5 compilation, the final (unfiltered) file gets everything. In short, I know that the inbound syslog packets are fine (i.e. that they have the correct facility/level information), or 1.6.8 would be broken as well.
THANKS for any and all help!
Marvin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Thanks. Applied a fix. On Fri, 2005-09-30 at 16:26 -0400, Peter Nahas wrote:
I too have experienced this problem and decided to investigate the source code. Unless I'm missing something, it appears that 1.9.5 simply does not set the correct variable internally, regardless of configuration. The following patch solved the problem for me:
-- Bazsi
participants (3)
-
Balazs Scheidler
-
Marvin.Nipper@Stream.com
-
Peter Nahas