Hello, I have this config file: filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; destination df_local1 { file("/mnt/log/$R_YEAR-$R_MONTH-$R_DAY/$SOURCEIP/local.log" template("$FULLDATE <> $PROGRAM <> $MSGONLY\n") template_escape(no)); }; log { source(s_tcp); source(s_internal); source(s_udp); source(s_unix); filter(f_local0); filter(f_local1); destination(df_local1); }; When an event arrives at the system by facility local0 or local1, this one is registered in the file never. Can be some bug of syslog-ng or failure in config? some idea of so that this one failure happens? Best regards and thanks in advance. -- A greeting, Javier.
Hi,
Hello,
I have this config file:
filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; destination df_local1 { file("/mnt/log/$R_YEAR-$R_MONTH-$R_DAY/$SOURCEIP/local.log" template("$FULLDATE <> $PROGRAM <> $MSGONLY\n") template_escape(no)); }; log { source(s_tcp); source(s_internal); source(s_udp); source(s_unix); filter(f_local0); filter(f_local1); destination(df_local1); };
When an event arrives at the system by facility local0 or local1, this one is registered in the file never. Can be some bug of syslog-ng or failure in config?
If I understand you correctly then the problem is that you're using two filters which exclude each other however using more filters they are logically AND-ed. If you want to catch messages from local0 and local1 use a filter like this: filter f_local01 { facility(local0) or facility(local1); }; Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
On Mon, Jul 30, 2007 at 12:49:20PM +0100, Geller, Sandor (IT) wrote:
I have this config file:
<snip>
When an event arrives at the system by facility local0 or local1, this one is registered in the file never. Can be some bug of syslog-ng or failure in config?
If I understand you correctly then the problem is that you're using two filters which exclude each other however using more filters they are logically AND-ed. If you want to catch messages from local0 and local1 use a filter like this:
filter f_local01 { facility(local0) or facility(local1); };
What a perfect FAQ entry. I know I've documented this before but I'm pretty sure it was internal documentation at a past job. Now it's up for all to see: http://www.campin.net/syslog-ng/faq.html#filters Oh, and I see that you answered afterwards Evan. Yours was good too. :) -- Nate You can lead an idiot to knowledge but you cannot make him think. You can, however, rectally insert the information, printed on stone tablets, using a sharpened poker.
By specifying this filter(f_local0); filter(f_local1); in your log statement you are saying that each message must match *both* facility local0 *and* local1, which will never be the case, and no messages will ever be written to the destination. What you want is filter f_local01 { facility(local0) or facility(local1); }; log { source(s_tcp); source(s_internal); source(s_udp); source(s_unix); filter(f_local01); destination(df_local1); }; I hope this is helpfull. Evan. Javier Terceiro wrote:
Hello,
I have this config file:
filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; destination df_local1 { file("/mnt/log/$R_YEAR-$R_MONTH-$R_DAY/$SOURCEIP/local.log" template("$FULLDATE <> $PROGRAM <> $MSGONLY\n") template_escape(no)); }; log { source(s_tcp); source(s_internal); source(s_udp); source(s_unix); filter(f_local0); filter(f_local1); destination(df_local1); };
When an event arrives at the system by facility local0 or local1, this one is registered in the file never. Can be some bug of syslog-ng or failure in config?
some idea of so that this one failure happens?
Best regards and thanks in advance.
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
participants (4)
-
Evan Rempel
-
Geller, Sandor (IT)
-
Javier Terceiro
-
Nate Campi