Re: [syslog-ng] Unable to Filter Based On Facility into Different Files
flags (final) stops the professing in the first statement Sent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: wiskbroom@hotmail.com Date: 4/21/17 9:37 AM (GMT-05:00) To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Unable to Filter Based On Facility into Different Files Greetings! I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins). I believe I have two issues with my statements below: 1. My ${HOST}- might be incorrect. 2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*. My statements below, comments and criticism very welcome. filter f_linux_secure { facility(authpriv) and level(info..emerg); }; filter f_linux_messages { level(info..emerg); }; destination d_linux_secure { file("/data/Linux/${HOST}-secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); destination d_linux_messages { file("/data/Linux/${HOST}-messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); }; Regards, Vadim Anatoly Pushkin
Yes, I only want said messages in one of the two files, not both. Vadim Anatoly Pushkin ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of james.r.hendrick <james.r.hendrick@gmail.com> Sent: Friday, April 21, 2017 9:40:20 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Unable to Filter Based On Facility into Different Files flags (final) stops the professing in the first statement Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: wiskbroom@hotmail.com Date: 4/21/17 9:37 AM (GMT-05:00) To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Unable to Filter Based On Facility into Different Files Greetings! I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins). I believe I have two issues with my statements below: 1. My ${HOST}- might be incorrect. 2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*. My statements below, comments and criticism very welcome. filter f_linux_secure { facility(authpriv) and level(info..emerg); }; filter f_linux_messages { level(info..emerg); }; destination d_linux_secure { file("/data/Linux/${HOST}-secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); destination d_linux_messages { file("/data/Linux/${HOST}-messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); }; Regards, Vadim Anatoly Pushkin
Hi Final flags respond with only top-level log paths. You can use embedded log statement to achieve your goal. log { log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); }; }; https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... Regards On Fri, Apr 21, 2017 at 7:14 PM, wiskbroom@hotmail.com < wiskbroom@hotmail.com> wrote:
Yes, I only want said messages in one of the two files, not both.
Vadim Anatoly Pushkin ------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of james.r.hendrick <james.r.hendrick@gmail.com> *Sent:* Friday, April 21, 2017 9:40:20 AM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Unable to Filter Based On Facility into Different Files
flags (final) stops the professing in the first statement
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: wiskbroom@hotmail.com Date: 4/21/17 9:37 AM (GMT-05:00) To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Unable to Filter Based On Facility into Different Files
Greetings!
I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins).
I believe I have two issues with my statements below:
1. My ${HOST}- might be incorrect.
2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*.
My statements below, comments and criticism very welcome.
filter f_linux_secure { facility(authpriv) and level(info..emerg); }; filter f_linux_messages { level(info..emerg); };
destination d_linux_secure { file("/data/Linux/${HOST}-secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); destination d_linux_messages { file("/data/Linux/${HOST}-messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes));
log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); };
Regards,
Vadim Anatoly Pushkin
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
That worked! Thank you, and for the link too, as I am still trying to wrap my head around how it works this way only. Kind regards, Vadim Anatoly Pushkin ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dwijadas Dey <dwijad@gmail.com> Sent: Friday, April 21, 2017 10:08:24 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Unable to Filter Based On Facility into Different Files Hi Final flags respond with only top-level log paths. You can use embedded log statement to achieve your goal. log { log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); }; }; https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... Regards On Fri, Apr 21, 2017 at 7:14 PM, wiskbroom@hotmail.com<mailto:wiskbroom@hotmail.com> <wiskbroom@hotmail.com<mailto:wiskbroom@hotmail.com>> wrote: Yes, I only want said messages in one of the two files, not both. Vadim Anatoly Pushkin ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of james.r.hendrick <james.r.hendrick@gmail.com<mailto:james.r.hendrick@gmail.com>> Sent: Friday, April 21, 2017 9:40:20 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Unable to Filter Based On Facility into Different Files flags (final) stops the professing in the first statement Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: wiskbroom@hotmail.com<mailto:wiskbroom@hotmail.com> Date: 4/21/17 9:37 AM (GMT-05:00) To: syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Unable to Filter Based On Facility into Different Files Greetings! I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins). I believe I have two issues with my statements below: 1. My ${HOST}- might be incorrect. 2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*. My statements below, comments and criticism very welcome. filter f_linux_secure { facility(authpriv) and level(info..emerg); }; filter f_linux_messages { level(info..emerg); }; destination d_linux_secure { file("/data/Linux/${HOST}-secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); destination d_linux_messages { file("/data/Linux/${HOST}-messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); }; Regards, Vadim Anatoly Pushkin ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Dwijadas Dey
-
james.r.hendrick
-
wiskbroom@hotmail.com