program_override("kernel") not working in 3.0.4
I'm trying to upgrade from 2.1.3 to 3.0.4 under Linux, and am having trouble getting my kernel messages tagged appropriately. My previous configuration had the following: ----- source k_src { pipe("/proc/kmsg" log_prefix("kernel: ")); }; destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { match("iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); }; destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; ----- All of my kernel messages showed up with the "kernel:" prefix, and anything coming from iptables was dropped in a separate log. Based on the documentation, I modified my configuration to the following for 3.0.4: ----- source k_src { file("/proc/kmsg" program_override("kernel")); }; destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { program("^kernel$") and message("^iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); }; destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; ----- However, my kernel messages show up with no prefix. I tried starting up in debug mode: ----- syslog-ng starting up; version='3.0.4' Incoming log entry; line='<6>usb 2-7: USB disconnect, address 8' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages' Incoming log entry; line='<4>iptables: IN=eth0 OUT= MAC=0:05:00:10:97:43:00:0SC147.5.2 S=2... E=8TS00 RC0C T= D363POO2' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' ----- This didn't help me. Am I doing something wrong? I didn't find any complaints of this nature on the mailing list, which leads me to suspect I'm somehow being stupid, any pointers much appreciated. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
On Mon, Jan 4, 2010 at 7:07 PM, Paul B. Henson <henson@acm.org> wrote:
I'm trying to upgrade from 2.1.3 to 3.0.4 under Linux, and am having trouble getting my kernel messages tagged appropriately.
My previous configuration had the following:
----- source k_src { pipe("/proc/kmsg" log_prefix("kernel: ")); };
destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { match("iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); };
destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; -----
All of my kernel messages showed up with the "kernel:" prefix, and anything coming from iptables was dropped in a separate log.
Based on the documentation, I modified my configuration to the following for 3.0.4:
----- source k_src { file("/proc/kmsg" program_override("kernel")); };
destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { program("^kernel$") and message("^iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); };
destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; -----
However, my kernel messages show up with no prefix. I tried starting up in debug mode:
----- syslog-ng starting up; version='3.0.4' Incoming log entry; line='<6>usb 2-7: USB disconnect, address 8' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages' Incoming log entry; line='<4>iptables: IN=eth0 OUT= MAC=0:05:00:10:97:43:00:0SC147.5.2 S=2... E=8TS00 RC0C T= D363POO2' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' -----
This didn't help me. Am I doing something wrong? I didn't find any complaints of this nature on the mailing list, which leads me to suspect I'm somehow being stupid, any pointers much appreciated.
Thanks...
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hello! Syslog-ng 3.0.5 has the following in its bugfixes update: * Fixed host_override/program_override options that were broken in 3.0.4. I'd grab version 3.0.5 regardless as it is a recommended upgrade with a number of bugfixes. -- Lance Laursen Demonware Systems Engineer
On Mon, 4 Jan 2010, Lance Laursen wrote:
Syslog-ng 3.0.5 has the following in its bugfixes update:
* Fixed host_override/program_override options that were broken in 3.0.4.
I'd grab version 3.0.5 regardless as it is a recommended upgrade with a number of bugfixes.
Ah, that sounds promising, thanks for the tip. I'm using Gentoo, it looks like they added 3.0.5 late last month but it's still marked as unstable and doesn't show up as an available update by default. I didn't think to look for a newer version from upstream. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
participants (2)
-
Lance Laursen
-
Paul B. Henson