Hi, Im trying to replace syslog with syslog-ng at my site. Version 1.0.4, libc5 (rh42). Everything compiled fine, but i am having trouble getting the equivalent to this syslog line below to work: *.info;mail.none;authpriv.none /var/log/messages Here is what i tried: source local { udp 0.0.0.0,514; unix-stream /dev/log; }; destination d_messages { file /var/log/messages; }; destination d_authpriv { file /var/log/secure; }; destination d_mail { file /var/log/maillog; }; filter f_mail { facility mail; }; filter f_authpriv { facility authpriv; }; filter f_mess { priority info; not facility mail; not facility authpriv; }; log { source local; filter f_mail; destination d_mail; }; log { source local; filter f_mess; destination d_messages; }; log { source local; filter f_authpriv; destination d_authpriv; }; When i generate messages for mail.notice, it goes to /var/log/messages *and* /var/log/maillog, and when i generate them for authpriv.notice, they go to /var/log/messages *and* to /var/log/secure, which is wrong (they are not supposed to go to /var/log/messages). The strange thing is, if i try this filter line: filter f_mess { priority info; not facility mail; }; .. and generate messages for mail.notice, it goes (correctly) to only /var/log/maillog. Also, if i try this: filter f_mess { priority info; not facility authpriv; }; ... and generate messages for authpriv.notice, it goes (correctly) to only /var/log/authpriv. So... if i put both together, it doesn't work, if i put each one separately, they do. Is this correct? Is there any other way i can use that syslog-type line? PS: i tried using the conf-convert.pl script, and it did not work, either. Thank you, -- Cristiano Lincoln Mattos Recife / Brazil
Hello, Sorry for the long delay it took for me to answer your mesage, but I was out for a couple of weeks. First of all I would like you to note that syslog-ng version 1.0.x serves only as a proof of concept, and has several flaws I am trying to solve in the new 1.1.xx series. But the latter is not ready yet, as syslog-ng is completely rewritten. syslog-ng 1.0.x works stable as long as the config file is ok, but the parser is not the best one (it is from the original nsyslogd package, which syslog-ng was based on)
Im trying to replace syslog with syslog-ng at my site. Version 1.0.4, libc5 (rh42). Everything compiled fine, but i am having trouble getting the equivalent to this syslog line below to work:
*.info;mail.none;authpriv.none /var/log/messages
Here is what i tried:
source local { udp 0.0.0.0,514; unix-stream /dev/log; }; destination d_messages { file /var/log/messages; }; destination d_authpriv { file /var/log/secure; }; destination d_mail { file /var/log/maillog; }; filter f_mail { facility mail; }; filter f_authpriv { facility authpriv; }; filter f_mess { priority info; not facility mail; not facility authpriv; }; log { source local; filter f_mail; destination d_mail; }; log { source local; filter f_mess; destination d_messages; }; log { source local; filter f_authpriv; destination d_authpriv; };
When i generate messages for mail.notice, it goes to /var/log/messages *and* /var/log/maillog, and when i generate them for authpriv.notice, they go to /var/log/messages *and* to /var/log/secure, which is wrong (they are not supposed to go to /var/log/messages).
The strange thing is, if i try this filter line: filter f_mess { priority info; not facility mail; }; .. and generate messages for mail.notice, it goes (correctly) to only /var/log/maillog. Also, if i try this: filter f_mess { priority info; not facility authpriv; }; ... and generate messages for authpriv.notice, it goes (correctly) to only /var/log/authpriv.
So... if i put both together, it doesn't work, if i put each one separately, they do. Is this correct? Is there any other way i can use that syslog-type line?
this is obviously wrong. the only solution I can tell you is not to use several conditions in one filter line. you can use several log statements to merge two streams together. BTW: I plan to rework filter statements in 1.1.x to be more powerful. -- Bazsi
On Tue, 6 Apr 1999, Balazs Scheidler wrote:
syslog-ng 1.0.x works stable as long as the config file is ok, but the parser is not the best one (it is from the original nsyslogd package, which syslog-ng was based on)
Unfortunately, I have not been able to get syslog-ng to work correctly. It starts fine and then 20 minutes later (the apparent default) logs a mark (three times, to the screen as well as logfile) and then hangs. Consistently. I have tried this under Linux 2.2.1 and 2.2.5 and -- with a little minor editing -- HP-UX 11.00. Any idea what my problem is? Just as a note, it runs under HP-UX and will handle remote logs correctly, but the system's syslog() function seems to append a couple hundred bytes of binary data to the end when writing to the named pipe /dev/log; I have no idea what this data is for. -- Scott Dellinger Systems Administrator, JMU Technical Services dellinsd@jmu.edu
participants (3)
-
Balazs Scheidler
-
Cristiano Lincoln Mattos
-
Scott Dellinger