Why does this not work?
Hi, I am trying to lessen the amount in my messages log. I have logs coming in from my router which I can successfully put into their own log using the following filters. Unfortunately this also drops the info into messages as well: filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_router { host(vigor); }; If I try to prevent the additions to the message log using the following filters I get the error shown below. filter f_messages { not facility(news, mail) and not filter(f_iptables, f_router); }; filter f_router { host(vigor); }; benden:~ # /etc/init.d/syslog restart Shutting down syslog services done Starting syslog servicessyntax error at 76 Parse error reading configuration file, exiting. (line 76) startproc: exit status of parent of /sbin/syslog-ng: 1 failed Can anyone explain what I am doing wrong please? -- Best regards, David mailto:dma@pern.co.uk
David Anderson wrote:
Hi,
I am trying to lessen the amount in my messages log. I have logs coming in from my router which I can successfully put into their own log using the following filters. Unfortunately this also drops the info into messages as well:
filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_router { host(vigor); };
If I try to prevent the additions to the message log using the following filters I get the error shown below.
filter f_messages { not facility(news, mail) and not filter(f_iptables, f_router); };
For my best knowledge you can't use nested filters. Either use the 'final' flag in your log definitions instead or create a new filter: filter f_notvigor { not host(vigor) }; and use in your log sections. Using the 'final' flag is much more efficient, but you have to take care of the ordering of your log definitions. -- Sandor Geller wildy@balabit.hu
On Fri, 2006-03-10 at 09:17 +0100, Sandor Geller wrote:
David Anderson wrote:
filter f_messages { not facility(news, mail) and not filter(f_iptables, f_router); };
For my best knowledge you can't use nested filters. Either use the 'final' flag in your log definitions instead or create a new filter:
Without really understanding the discussion a minor correction: You can use nested filters but not as a list like you used above, as the filter() function only supports a single item. So that should be rewritten as: filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_router); }; -- Bazsi
Bazsi, Monday, March 13, 2006, 5:40:51 PM, you wrote:
On Fri, 2006-03-10 at 09:17 +0100, Sandor Geller wrote:
David Anderson wrote:
filter f_messages { not facility(news, mail) and not filter(f_iptables, f_router); };
For my best knowledge you can't use nested filters. Either use the 'final' flag in your log definitions instead or create a new filter:
Without really understanding the discussion a minor correction:
You can use nested filters but not as a list like you used above, as the filter() function only supports a single item. So that should be rewritten as:
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_router); };
Thanks, Bazsi. That did exactly what I wanted. -- Best regards, David mailto:dma@pern.co.uk
participants (3)
-
Balazs Scheidler
-
David Anderson
-
Sandor Geller