Ignoring previously handled/filtered messages
Hello all. I am new to syslog-ng (today) and have a question. I have looked through all of the documentation that I can find -- as well as scanned the mailing list archives, and cannot find a solution. In fact, I see that Un L'Unique had this same problem last month, and it was partially discussed, but there was no final answer. Basically, it seems that there should be an easy way to make syslog-ng NOT resend messages that have already been sent to some other log. Here is what I am trying to do... I have several daemons (we'll shorten the list to just ftpd and named for this example) that currently send daemon.info messages. I want each application to have its own log file. So, I have tried configuring them like this: destination ftpd { file("/var/log/ftplog"); }; destination named { file("/var/log/namedlog"); }; destination daemon { file("/var/log/daemonlog"); }; filter f_ftpd { program("ftpd"); }; filter f_named { program("named"); }; filter f_daemon { facility(daemon); }; log { source(src); filter(f_ftpd); destination(ftpd); }; log { source(src); filter(f_named); destination(named); }; log { source(src); filter(f_daemon); destination(daemon); }; This makes messages for ftpd go to ftpdlog and for named go to namedlog. The problem is that they still also go to the daemonlog since they are daemon.info messages. What I want is a way to tell syslog-ng that I do NOT want it to also send those to the daemonlog file. It seems that there should be a directive to say "send these to this log ONLY if they haven't already been handled." I did try doing this for the daemon filter: filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); }; ...but this does not work. I still get the ftpd and named messages in daemonlog (as well as ftpdlog and namedlog). This is exactly what Un L'Unique experienced last month when he said that the "not filter" did not appear to be working for him. I get the same behavior -- it does not work for me. This is, however, not even a good system even if it DID work, because then I would have to specific each and ever "not filter" for other daemons that are handled and remember to add them each time I add logging for a new daemon. It would just be so much better if the facility(daemon) could be told to only log daemon messages that were NOT already logged elsewhere. I believe that this can be done (and is the default behavior) in standard syslog. I tried working with the filter(DEFAULT) command, but this also did not seem to do what I wanted since I can't tell it to JUST do it for facility(daemon). Thank you! - John...
filter nf_send { not program("sendmail"); }; log { source("src2"); filter("h_lists"); filter("nf_send"); destination("lists"); }; this works for me ----- Original Message ----- From: "John Goggan" <jgoggan@dcg.com> To: "syslog-ng Mailing List" <syslog-ng@lists.balabit.hu> Sent: Wednesday, May 24, 2000 2:18 PM Subject: [syslog-ng] Ignoring previously handled/filtered messages
Hello all. I am new to syslog-ng (today) and have a question. I have
looked
through all of the documentation that I can find -- as well as scanned the mailing list archives, and cannot find a solution. In fact, I see that Un L'Unique had this same problem last month, and it was partially discussed, but there was no final answer.
Basically, it seems that there should be an easy way to make syslog-ng NOT resend messages that have already been sent to some other log. Here is what I am trying to do... I have several daemons (we'll shorten the list to just ftpd and named for this example) that currently send daemon.info messages. I want each application to have its own log file. So, I have tried configuring them like this:
destination ftpd { file("/var/log/ftplog"); }; destination named { file("/var/log/namedlog"); }; destination daemon { file("/var/log/daemonlog"); }; filter f_ftpd { program("ftpd"); }; filter f_named { program("named"); }; filter f_daemon { facility(daemon); }; log { source(src); filter(f_ftpd); destination(ftpd); }; log { source(src); filter(f_named); destination(named); }; log { source(src); filter(f_daemon); destination(daemon); };
This makes messages for ftpd go to ftpdlog and for named go to namedlog. The problem is that they still also go to the daemonlog since they are daemon.info messages. What I want is a way to tell syslog-ng that I do NOT want it to also send those to the daemonlog file. It seems that there should be a directive to say "send these to this log ONLY if they haven't already been handled."
I did try doing this for the daemon filter:
filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); };
...but this does not work. I still get the ftpd and named messages in daemonlog (as well as ftpdlog and namedlog). This is exactly what Un L'Unique experienced last month when he said that the "not filter" did not appear to be working for him. I get the same behavior -- it does not work for me. This is, however, not even a good system even if it DID work, because then I would have to specific each and ever "not filter" for other daemons that are handled and remember to add them each time I add logging for a new daemon. It would just be so much better if the facility(daemon) could be told to only log daemon messages that were NOT already logged elsewhere. I believe that this can be done (and is the default behavior) in standard syslog.
I tried working with the filter(DEFAULT) command, but this also did not seem to do what I wanted since I can't tell it to JUST do it for facility(daemon).
Thank you!
- John...
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
I did try doing this for the daemon filter:
filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); };
...but this does not work. I still get the ftpd and named messages in daemonlog (as well as ftpdlog and namedlog). This is exactly what Un
L'Unique
experienced last month when he said that the "not filter" did not appear to be working for him. I get the same behavior -- it does not work for me. This is,
First of all, I tried this, and it DID work, at least for my local source tree. Maybe I've commited a fix sometimes and didn't release it? Here's the configuration I tried: options { keep_hostname(yes); }; source src { unix-stream("proba2"); internal(); }; destination ftpd { file("ftplog"); }; destination named { file("namedlog"); }; destination daemon { file("daemonlog"); }; filter f_ftpd { match("ftp"); }; filter f_named { match("named"); }; filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); }; log { source(src); filter(f_ftpd); destination(ftpd); }; log { source(src); filter(f_named); destination(named); }; log { source(src); filter(f_daemon); destination(daemon); }; And the lines I logged: balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp" balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named" balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq" All of them went to the desired location. I'll go on and test the DEFAULT filter. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
John,
This makes messages for ftpd go to ftpdlog and for named go to namedlog. The problem is that they still also go to the daemonlog since they are daemon.info messages. What I want is a way to tell syslog-ng that I do NOT want it to also send those to the daemonlog file. It seems that there should be a directive to say "send these to this log ONLY if they haven't already been handled."
I did try doing this for the daemon filter:
filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); };
...but this does not work. I still get the ftpd and named messages
try filter f_daemon { facility(daemon) and not program(name);}; where "name" is whatever program you're trying to filter out. I think the match keyword will take care of this as well. Regards, Ger.
ger wrote:
try filter f_daemon { facility(daemon) and not program(name);};
where "name" is whatever program you're trying to filter out.
Thanks to Ger and Ilya for their responses. While this does work, it really seems like a poor way to do it to me -- and, I believe, is also quite a bit different from the way standard syslog handles things. The problem is that it should just be easy to make it so that messages are handled only ONCE and then not sent to additional logs unless specifically desires. How many people really want the same syslog message sent to multiple logs most of the time? It just seems that the default (which does this) is the opposite of what most would want. Plus, what needs to be done to get around this just doesn't make any sense. This means that if I want separate logs for imapd, named, telnetd, and ftpd (to name just a few common daemons) -- and I want any other daemons that pop up to still go to a daemon.log, I have to do this in my filter section: filter f_imapd { program("imapd"); }; filter f_named { program("named"); }; filter f_telnetd { program("telnetd"); }; filter f_ftpd { program("ftpd"); }; filter f_auth { facility(auth) and not program("imapd") and not program("named") and not program("telnetd") and not program("ftpd"); }; filter f_daemon { facility(daemon) and not program("imapd") and not program("named") and not program("telnetd") and not program("ftpd"); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); and not program("imapd") and not program("named") and not program("telnetd") and not program("ftpd"); }; That just seems like a really bad design! I have to make sure that I keep all of the names updated in several different locations. If I want to add a log for just one more daemon, I have to add it to at least 3 other filters besides its own filter! Aren't other people experiencing such problems? Or is no one out there using syslog-ng to filter out specific daemons while still catching the unlisted daemons in a daemon.log file? There must be a better way... - John...
participants (4)
-
Balazs Scheidler
-
ger
-
Ilya
-
John Goggan