Hello, Im currently building our loghost syslog-ng conf file and encounter a problem. How can I filter message so that only not-alredy-routed line will be routed/filtered again ? For example, I am trying to send ssh line to a dedicated log file, since sshd send its message to the deamon facility and that ( generic) daemon facility are send to a generic file, a given line appereas in both file and that waste my disk space :-). I am trying to solve that by adding "and not filter(f_ssh)" in my dameon filter but it does nothing ( not even syntax error message). Is there any error ? Is there another way ? Thanks for any help. Un .... filter f_ssh { program("ssh.*"); }; filter f_cyrus-imapd { program("deliver.*") or program( "imapd.*"); }; filter f_named { program("named.*"); }; filter f_ntp { program(".*ntp.*"); }; filter f_kern { facility(kern); }; filter f_user { facility(user); }; filter f_mail { facility(mail); }; filter f_daemon { facility(daemon) and not filter(f_cyrus-imapd) and not filter(f_ssh) and not filter(f_ntp) and not filter(f_named); }; ....
Im currently building our loghost syslog-ng conf file and encounter a problem. How can I filter message so that only not-alredy-routed line will be routed/filtered again ?
For example, I am trying to send ssh line to a dedicated log file, since sshd send its message to the deamon facility and that ( generic) daemon facility are send to a generic file, a given line appereas in both file and that waste my disk space :-).
I am trying to solve that by adding "and not filter(f_ssh)" in my dameon filter but it does nothing ( not even syntax error message).
Is there any error ? Is there another way ?
Thanks for any help.
The filter way should work, if it doesn't, it's a bug. There's a feature you may use here. You can define default log statements: log { source(src); filter(DEFAULT); destination(dst); }; This is a catchall statement, and should catch all messages which were not accepted any of the previous statements. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
Balazs Scheidler wrote:
Im currently building our loghost syslog-ng conf file and encounter a problem. How can I filter message so that only not-alredy-routed line will be routed/filtered again ?
For example, I am trying to send ssh line to a dedicated log file, since sshd send its message to the deamon facility and that ( generic) daemon facility are send to a generic file, a given line appereas in both file and that waste my disk space :-).
I am trying to solve that by adding "and not filter(f_ssh)" in my dameon filter but it does nothing ( not even syntax error message).
Is there any error ? Is there another way ?
Thanks for any help.
The filter way should work, if it doesn't, it's a bug. There's a feature you
Well, I just try with 1.4.3 version, I am sorry but I think I catch a bug :-) I can send you the conf file if needed. Anyway this not a very convenient solution as when I modify a rules, I have to modify it in 2 place...and forgot. I would like another one, if possible.
may use here. You can define default log statements:
log { source(src); filter(DEFAULT); destination(dst); };
This is a catchall statement, and should catch all messages which were not accepted any of the previous statements. I tried to add it the the daemon filter but it change nothing, logline continue to appears in the daemon log file. I try to add it in the log {} but syslog stop with: Default statement may not have additional filters. center.c:114: failed assertion `d->ref' Abort (core dumped)
I want to have ssh logline only in the ssh log I define and not in the daemon log and ssh log. I have plenty of those needs :-) Is there any way to performe that ? S.R. this "don't work": -) .... filter f_ssh { program("ssh.*"); }; filter f_daemon { facility(daemon) and not filter(f_cyrus-imapd) and not filter(f_ssh) and not filter(f_ntp) and not filter(f_named) and filter( DEFAULT); }; .... log { source( local); source( network); filter( f_ssh); destination( d_ssh); }; log { source( local); source( network); filter( f_daemon); destination( d_daemon); }; sshd use daemon.info facility.
participants (2)
-
Balazs Scheidler
-
Un L'Unique