Syslog-ng not honoring negative flag
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc... I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong. Thanks! --------------------------------------------- @version: 3.30 @include "scl.conf" options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); }; source src { system(); internal(); }; filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); }; destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); }; log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
Hello, The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine. -- kokan ________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc... I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong. Thanks! --------------------------------------------- @version: 3.30 @include "scl.conf" options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); }; source src { system(); internal(); }; filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); }; destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); }; log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); }; ______________________________________________________________________________ Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
No joy. I tried swapping it different ways. filter -> source -> destination = combined source -> filter -> destination = combined Here's what my config looks like now, after the second variant: @version: 3.30 @include "scl.conf" options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); }; source src { system(); internal(); }; filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); }; destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); }; log { source(src); filter(samba); destination(smb_logs); flags(final); ); log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); }; Still, sshd messages are appearing in /var/log/messages. On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________ Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Your ssh messages reads filter ssh_messages { facility("AUTH") and level("INFO"); }; Are you sure all ssh related messages are logged at auth.info? Note that unlike syslogd level(info) will only match "info" exactly and not info and up. To match a range, you can use level (info..emerg) Also, why don't you just match on program name? E.g. program("sshd") or something? And one last note, once you deliver a message using flags(final) you won't need to negate the filter in subsequent log paths. Syslog-ng would simply stop processing at flags (final). On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); ); log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
it's not just ssh. Samba messages are appearing in /var/log/messages also. I just noticed that. But as to my ssh, the config file specifically says to use facility auth and level info. I suppose I could change it to program("sshd") or something, but since program("samba") is also slipping through, then I'm not sure that is going to fix anything. On 4/7/2021 12:38 AM, Balazs Scheidler wrote:
Your ssh messages reads
filter ssh_messages { facility("AUTH") and level("INFO"); };
Are you sure all ssh related messages are logged at auth.info <http://auth.info>?
Note that unlike syslogd level(info) will only match "info" exactly and not info and up. To match a range, you can use level (info..emerg)
Also, why don't you just match on program name? E.g. program("sshd") or something?
And one last note, once you deliver a message using flags(final) you won't need to negate the filter in subsequent log paths. Syslog-ng would simply stop processing at flags (final).
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); ); log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan Egli <dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ______________________________________________________________________________ > Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> > ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Last I've checked samba was logging as "smbd" On Wed, Apr 7, 2021, 08:41 Dan Egli <dan@newideatest.site> wrote:
it's not just ssh. Samba messages are appearing in /var/log/messages also. I just noticed that. But as to my ssh, the config file specifically says to use facility auth and level info. I suppose I could change it to program("sshd") or something, but since program("samba") is also slipping through, then I'm not sure that is going to fix anything. On 4/7/2021 12:38 AM, Balazs Scheidler wrote:
Your ssh messages reads
filter ssh_messages { facility("AUTH") and level("INFO"); };
Are you sure all ssh related messages are logged at auth.info?
Note that unlike syslogd level(info) will only match "info" exactly and not info and up. To match a range, you can use level (info..emerg)
Also, why don't you just match on program name? E.g. program("sshd") or something?
And one last note, once you deliver a message using flags(final) you won't need to negate the filter in subsequent log paths. Syslog-ng would simply stop processing at flags (final).
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); ); log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error. log { source(src); filter(ssh_messages); destination(sshd_log);
flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages. On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan Egli <dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ______________________________________________________________________________ > Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> > ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
can you start syslog-ng in the foreground and look at the startup messages? e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt: # /usr/sbin/syslog-ng -Fedv This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not. Cheers, Bazsi On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log);
flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Syslog-ng is NOT complaining about my config at all. I've included the output from the -Fedv below. Other than what I would call "routine" errors in the scl section, no complaints. --------------------------------- [2021-04-07T11:52:21.151347] Processing @include statement; filename='scl.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151420] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.151596] Module loaded and initialized successfully; module='appmodel' [2021-04-07T11:52:21.151612] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151782] Adding include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151787] Adding include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.151790] Adding include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.151792] Adding include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.151794] Adding include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.151797] Adding include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.151799] Adding include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.151802] Adding include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.151804] Adding include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.151807] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.151809] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.151811] Adding include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.151814] Adding include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.151816] Adding include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.151819] Adding include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.151821] Adding include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.151824] Adding include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.151826] Adding include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.151906] Adding include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.151912] Adding include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.151915] Adding include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.151917] Adding include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.151920] Adding include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.151922] Adding include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.151925] Adding include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.151933] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151993] Reading path for candidate modules; path='/usr/lib64/syslog-ng' [2021-04-07T11:52:21.152064] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml' [2021-04-07T11:52:21.152174] Registering candidate plugin; module='xml', context='parser', name='xml' [2021-04-07T11:52:21.152200] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', module='tags-parser' [2021-04-07T11:52:21.152263] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser' [2021-04-07T11:52:21.152277] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', module='system-source' [2021-04-07T11:52:21.152336] Registering candidate plugin; module='system-source', context='source', name='system' [2021-04-07T11:52:21.152349] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', module='syslogformat' [2021-04-07T11:52:21.152414] Registering candidate plugin; module='syslogformat', context='format', name='syslog' [2021-04-07T11:52:21.152417] Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser' [2021-04-07T11:52:21.152428] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libstardate.so', module='stardate' [2021-04-07T11:52:21.152619] Registering candidate plugin; module='stardate', context='template-func', name='stardate' [2021-04-07T11:52:21.152661] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', module='secure-logging' [2021-04-07T11:52:21.152746] Registering candidate plugin; module='secure-logging', context='template-func', name='slog' [2021-04-07T11:52:21.152760] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', module='pseudofile' [2021-04-07T11:52:21.152832] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile' [2021-04-07T11:52:21.152904] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', module='map-value-pairs' [2021-04-07T11:52:21.152989] Registering candidate plugin; module='map-value-pairs', context='parser', name='map_value_pairs' [2021-04-07T11:52:21.153005] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='liblinux-kmsg-format.so', module='linux-kmsg-format' [2021-04-07T11:52:21.153170] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg' [2021-04-07T11:52:21.153191] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', module='kvformat' [2021-04-07T11:52:21.153261] Registering candidate plugin; module='kvformat', context='parser', name='kv-parser' [2021-04-07T11:52:21.153265] Registering candidate plugin; module='kvformat', context='parser', name='linux-audit-parser' [2021-04-07T11:52:21.153268] Registering candidate plugin; module='kvformat', context='template-func', name='format-welf' [2021-04-07T11:52:21.153279] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', module='hook-commands' [2021-04-07T11:52:21.153339] Registering candidate plugin; module='hook-commands', context='inner-dest', name='hook-commands' [2021-04-07T11:52:21.153343] Registering candidate plugin; module='hook-commands', context='inner-src', name='hook-commands' [2021-04-07T11:52:21.153355] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', module='graphite' [2021-04-07T11:52:21.153408] Registering candidate plugin; module='graphite', context='template-func', name='graphite_output' [2021-04-07T11:52:21.153418] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', module='tfgetent' [2021-04-07T11:52:21.153468] Registering candidate plugin; module='tfgetent', context='template-func', name='getent' [2021-04-07T11:52:21.153479] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libexamples.so', module='examples' [2021-04-07T11:52:21.153646] Registering candidate plugin; module='examples', context='source', name='example_msg_generator' [2021-04-07T11:52:21.153654] Registering candidate plugin; module='examples', context='source', name='example_random_generator' [2021-04-07T11:52:21.153660] Registering candidate plugin; module='examples', context='source', name='example_diskq_source' [2021-04-07T11:52:21.153670] Registering candidate plugin; module='examples', context='inner-dest', name='http_test_slots' [2021-04-07T11:52:21.153677] Registering candidate plugin; module='examples', context='destination', name='example_destination' [2021-04-07T11:52:21.153722] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', module='disk-buffer' [2021-04-07T11:52:21.153825] Registering candidate plugin; module='disk-buffer', context='inner-dest', name='disk_buffer' [2021-04-07T11:52:21.153846] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', module='dbparser' [2021-04-07T11:52:21.154065] Registering candidate plugin; module='dbparser', context='parser', name='db-parser' [2021-04-07T11:52:21.154076] Registering candidate plugin; module='dbparser', context='parser', name='grouping-by' [2021-04-07T11:52:21.154100] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', module='timestamp' [2021-04-07T11:52:21.154260] Registering candidate plugin; module='timestamp', context='parser', name='date-parser' [2021-04-07T11:52:21.154267] Registering candidate plugin; module='timestamp', context='rewrite', name='fix-time-zone' [2021-04-07T11:52:21.154270] Registering candidate plugin; module='timestamp', context='rewrite', name='set-time-zone' [2021-04-07T11:52:21.154279] Registering candidate plugin; module='timestamp', context='rewrite', name='guess-time-zone' [2021-04-07T11:52:21.154296] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', module='csvparser' [2021-04-07T11:52:21.154366] Registering candidate plugin; module='csvparser', context='parser', name='csv-parser' [2021-04-07T11:52:21.154381] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', module='cryptofuncs' [2021-04-07T11:52:21.154452] Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid' [2021-04-07T11:52:21.154459] Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash' [2021-04-07T11:52:21.154657] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1' [2021-04-07T11:52:21.154662] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256' [2021-04-07T11:52:21.154665] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512' [2021-04-07T11:52:21.154667] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4' [2021-04-07T11:52:21.154673] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5' [2021-04-07T11:52:21.154689] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', module='confgen' [2021-04-07T11:52:21.154788] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef' [2021-04-07T11:52:21.154912] Registering candidate plugin; module='cef', context='template-func', name='format-cef-extension' [2021-04-07T11:52:21.154935] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', module='basicfuncs' [2021-04-07T11:52:21.155134] Registering candidate plugin; module='basicfuncs', context='template-func', name='grep' [2021-04-07T11:52:21.155142] Registering candidate plugin; module='basicfuncs', context='template-func', name='if' [2021-04-07T11:52:21.155145] Registering candidate plugin; module='basicfuncs', context='template-func', name='or' [2021-04-07T11:52:21.155148] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-lookup' [2021-04-07T11:52:21.155150] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length' [2021-04-07T11:52:21.155156] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-values' [2021-04-07T11:52:21.155158] Registering candidate plugin; module='basicfuncs', context='template-func', name='echo' [2021-04-07T11:52:21.155165] Registering candidate plugin; module='basicfuncs', context='template-func', name='length' [2021-04-07T11:52:21.155171] Registering candidate plugin; module='basicfuncs', context='template-func', name='substr' [2021-04-07T11:52:21.155173] Registering candidate plugin; module='basicfuncs', context='template-func', name='strip' [2021-04-07T11:52:21.155176] Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize' [2021-04-07T11:52:21.155178] Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase' [2021-04-07T11:52:21.155180] Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase' [2021-04-07T11:52:21.155183] Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter' [2021-04-07T11:52:21.155185] Registering candidate plugin; module='basicfuncs', context='template-func', name='padding' [2021-04-07T11:52:21.155201] Registering candidate plugin; module='basicfuncs', context='template-func', name='binary' [2021-04-07T11:52:21.155204] Registering candidate plugin; module='basicfuncs', context='template-func', name='implode' [2021-04-07T11:52:21.155207] Registering candidate plugin; module='basicfuncs', context='template-func', name='explode' [2021-04-07T11:52:21.155209] Registering candidate plugin; module='basicfuncs', context='template-func', name='dirname' [2021-04-07T11:52:21.155214] Registering candidate plugin; module='basicfuncs', context='template-func', name='basename' [2021-04-07T11:52:21.155217] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-concat' [2021-04-07T11:52:21.155219] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-head' [2021-04-07T11:52:21.155222] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-nth' [2021-04-07T11:52:21.155224] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-tail' [2021-04-07T11:52:21.155227] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-slice' [2021-04-07T11:52:21.155230] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-count' [2021-04-07T11:52:21.155232] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-append' [2021-04-07T11:52:21.155234] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-search' [2021-04-07T11:52:21.155237] Registering candidate plugin; module='basicfuncs', context='template-func', name='+' [2021-04-07T11:52:21.155239] Registering candidate plugin; module='basicfuncs', context='template-func', name='-' [2021-04-07T11:52:21.155241] Registering candidate plugin; module='basicfuncs', context='template-func', name='*' [2021-04-07T11:52:21.155243] Registering candidate plugin; module='basicfuncs', context='template-func', name='/' [2021-04-07T11:52:21.155245] Registering candidate plugin; module='basicfuncs', context='template-func', name='%' [2021-04-07T11:52:21.155248] Registering candidate plugin; module='basicfuncs', context='template-func', name='sum' [2021-04-07T11:52:21.155255] Registering candidate plugin; module='basicfuncs', context='template-func', name='min' [2021-04-07T11:52:21.155257] Registering candidate plugin; module='basicfuncs', context='template-func', name='max' [2021-04-07T11:52:21.155259] Registering candidate plugin; module='basicfuncs', context='template-func', name='average' [2021-04-07T11:52:21.155261] Registering candidate plugin; module='basicfuncs', context='template-func', name='round' [2021-04-07T11:52:21.155267] Registering candidate plugin; module='basicfuncs', context='template-func', name='ceil' [2021-04-07T11:52:21.155272] Registering candidate plugin; module='basicfuncs', context='template-func', name='floor' [2021-04-07T11:52:21.155275] Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int' [2021-04-07T11:52:21.155277] Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line' [2021-04-07T11:52:21.155279] Registering candidate plugin; module='basicfuncs', context='template-func', name='dns-resolve-ip' [2021-04-07T11:52:21.155281] Registering candidate plugin; module='basicfuncs', context='template-func', name='env' [2021-04-07T11:52:21.155284] Registering candidate plugin; module='basicfuncs', context='template-func', name='template' [2021-04-07T11:52:21.155286] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-encode' [2021-04-07T11:52:21.155288] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-decode' [2021-04-07T11:52:21.155291] Registering candidate plugin; module='basicfuncs', context='template-func', name='base64-encode' [2021-04-07T11:52:21.155294] Registering candidate plugin; module='basicfuncs', context='template-func', name='iterate' [2021-04-07T11:52:21.155297] Registering candidate plugin; module='basicfuncs', context='template-func', name='map' [2021-04-07T11:52:21.155300] Registering candidate plugin; module='basicfuncs', context='template-func', name='filter' [2021-04-07T11:52:21.155330] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libazure-auth-header.so', module='azure-auth-header' [2021-04-07T11:52:21.155422] Registering candidate plugin; module='azure-auth-header', context='inner-dest', name='azure-auth-header' [2021-04-07T11:52:21.155440] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', module='appmodel' [2021-04-07T11:52:21.155445] Registering candidate plugin; module='appmodel', context='root', name='application' [2021-04-07T11:52:21.155448] Registering candidate plugin; module='appmodel', context='parser', name='app-parser' [2021-04-07T11:52:21.155450] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafuser.so', module='afuser' [2021-04-07T11:52:21.155549] Registering candidate plugin; module='afuser', context='destination', name='usertty' [2021-04-07T11:52:21.155565] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', module='afstomp' [2021-04-07T11:52:21.155641] Registering candidate plugin; module='afstomp', context='destination', name='stomp' [2021-04-07T11:52:21.155653] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', module='afsocket' [2021-04-07T11:52:21.155816] Registering candidate plugin; module='afsocket', context='source', name='unix-stream' [2021-04-07T11:52:21.155821] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream' [2021-04-07T11:52:21.155824] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram' [2021-04-07T11:52:21.155827] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram' [2021-04-07T11:52:21.155829] Registering candidate plugin; module='afsocket', context='source', name='tcp' [2021-04-07T11:52:21.155832] Registering candidate plugin; module='afsocket', context='destination', name='tcp' [2021-04-07T11:52:21.155834] Registering candidate plugin; module='afsocket', context='source', name='tcp6' [2021-04-07T11:52:21.155837] Registering candidate plugin; module='afsocket', context='destination', name='tcp6' [2021-04-07T11:52:21.155839] Registering candidate plugin; module='afsocket', context='source', name='udp' [2021-04-07T11:52:21.155841] Registering candidate plugin; module='afsocket', context='destination', name='udp' [2021-04-07T11:52:21.155844] Registering candidate plugin; module='afsocket', context='source', name='udp6' [2021-04-07T11:52:21.155846] Registering candidate plugin; module='afsocket', context='destination', name='udp6' [2021-04-07T11:52:21.155857] Registering candidate plugin; module='afsocket', context='source', name='syslog' [2021-04-07T11:52:21.155860] Registering candidate plugin; module='afsocket', context='destination', name='syslog' [2021-04-07T11:52:21.155863] Registering candidate plugin; module='afsocket', context='source', name='network' [2021-04-07T11:52:21.155865] Registering candidate plugin; module='afsocket', context='destination', name='network' [2021-04-07T11:52:21.155867] Registering candidate plugin; module='afsocket', context='source', name='systemd-syslog' [2021-04-07T11:52:21.155886] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafprog.so', module='afprog' [2021-04-07T11:52:21.155979] Registering candidate plugin; module='afprog', context='source', name='program' [2021-04-07T11:52:21.155986] Registering candidate plugin; module='afprog', context='destination', name='program' [2021-04-07T11:52:21.156000] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libaffile.so', module='affile' [2021-04-07T11:52:21.156140] Registering candidate plugin; module='affile', context='source', name='file' [2021-04-07T11:52:21.156176] Registering candidate plugin; module='affile', context='source', name='pipe' [2021-04-07T11:52:21.156181] Registering candidate plugin; module='affile', context='source', name='wildcard_file' [2021-04-07T11:52:21.156184] Registering candidate plugin; module='affile', context='source', name='stdin' [2021-04-07T11:52:21.156187] Registering candidate plugin; module='affile', context='destination', name='file' [2021-04-07T11:52:21.156189] Registering candidate plugin; module='affile', context='destination', name='pipe' [2021-04-07T11:52:21.156209] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libadd-contextual-data.so', module='add-contextual-data' [2021-04-07T11:52:21.156308] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data' [2021-04-07T11:52:21.156434] Finishing include; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.156450] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156674] Finishing include; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156687] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156832] Finishing include; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156841] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156931] Finishing include; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156943] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157022] Finishing include; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157029] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157074] Finishing include; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157078] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157107] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1' [2021-04-07T11:52:21.157109] Finishing include; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157114] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157173] Finishing include; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157179] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157232] Finishing include; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157236] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157262] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1' [2021-04-07T11:52:21.157264] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157269] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157309] Global value changed; define='kafka-implementation', value='kafka-java' [2021-04-07T11:52:21.157328] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157336] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157375] Finishing include; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157379] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157493] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.157512] Finishing include; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157519] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157559] Finishing include; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157565] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157597] Included file was skipped because of a missing module; module='pacctformat', location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1' [2021-04-07T11:52:21.157600] Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157605] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157905] Finishing include; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157919] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.157969] Global value changed; define='balabit.credit-card-regexp', value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})' [2021-04-07T11:52:21.157998] Finishing include; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.158007] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158073] Finishing include; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158079] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158120] Finishing include; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158131] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161593] Finishing include; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161620] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161724] Finishing include; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161729] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161803] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.161808] Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161815] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161853] Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161860] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161951] Finishing include; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161964] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162008] Finishing include; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162024] Global value changed; define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules' [2021-04-07T11:52:21.162028] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.162157] Module loaded and initialized successfully; module='system-source' [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log device; device='/dev/kmsg', format='linux-kmsg' [2021-04-07T11:52:21.162403] Module loaded and initialized successfully; module='afsocket' [2021-04-07T11:52:21.162936] Module loaded and initialized successfully; module='affile' [2021-04-07T11:52:21.163175] Module loaded and initialized successfully; module='kvformat' [2021-04-07T11:52:21.163192] Finishing include; content='block parser iptables-parser() at /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3' [2021-04-07T11:52:21.163568] Module loaded and initialized successfully; module='csvparser' [2021-04-07T11:52:21.164457] Finishing include; content='block parser panos-parser() at /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3' [2021-04-07T11:52:21.164880] Module loaded and initialized successfully; module='basicfuncs' [2021-04-07T11:52:21.164936] Finishing include; content='block parser sudo-parser() at /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3' [2021-04-07T11:52:21.164995] Finishing include; content='parser generator app-parser', depth='2' [2021-04-07T11:52:21.165016] Finishing include; content='source generator system', depth='1' [2021-04-07T11:52:21.165525] Module loaded and initialized successfully; module='syslogformat' [2021-04-07T11:52:21.165711] Module loaded and initialized successfully; module='linux-kmsg-format' [2021-04-07T11:52:21.165966] Running application hooks; hook='1' [2021-04-07T11:52:21.165971] Running application hooks; hook='6' [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1' [2021-04-07T11:52:21.165989] Running application hooks; hook='2' [2021-04-07T11:52:39.961046] Running application hooks; hook='3' [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1' [2021-04-07T11:52:40.061679] Running application hooks; hook='4' ----------------------------------------------------------------------------- On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
can you start syslog-ng in the foreground and look at the startup messages?
e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:
# /usr/sbin/syslog-ng -Fedv
This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.
Cheers, Bazsi
On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ______________________________________________________________________________ > Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> > ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi
Hello Dan, I believe that Bazsi (Balázs) wasn't really looking for the startup messages about the config being parsed, but instead about the debug/trace output of the log processing pipeline. There he would be able to check which filters were run against a certain message (its actual content too), and what result those filters returned. I think that's what he's primarily after. Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> LinkedIn: linkedin.com/in/janosszigetvari Web: janos.szigetvari.com __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Dan Egli <dan@newideatest.site> ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):
Syslog-ng is NOT complaining about my config at all. I've included the output from the -Fedv below. Other than what I would call "routine" errors in the scl section, no complaints.
--------------------------------- [2021-04-07T11:52:21.151347] Processing @include statement; filename='scl.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151420] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.151596] Module loaded and initialized successfully; module='appmodel' [2021-04-07T11:52:21.151612] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151782] Adding include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151787] Adding include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.151790] Adding include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.151792] Adding include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.151794] Adding include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.151797] Adding include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.151799] Adding include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.151802] Adding include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.151804] Adding include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.151807] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.151809] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.151811] Adding include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.151814] Adding include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.151816] Adding include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.151819] Adding include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.151821] Adding include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.151824] Adding include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.151826] Adding include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.151906] Adding include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.151912] Adding include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.151915] Adding include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.151917] Adding include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.151920] Adding include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.151922] Adding include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.151925] Adding include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.151933] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151993] Reading path for candidate modules; path='/usr/lib64/syslog-ng' [2021-04-07T11:52:21.152064] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml' [2021-04-07T11:52:21.152174] Registering candidate plugin; module='xml', context='parser', name='xml' [2021-04-07T11:52:21.152200] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', module='tags-parser' [2021-04-07T11:52:21.152263] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser' [2021-04-07T11:52:21.152277] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', module='system-source' [2021-04-07T11:52:21.152336] Registering candidate plugin; module='system-source', context='source', name='system' [2021-04-07T11:52:21.152349] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', module='syslogformat' [2021-04-07T11:52:21.152414] Registering candidate plugin; module='syslogformat', context='format', name='syslog' [2021-04-07T11:52:21.152417] Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser' [2021-04-07T11:52:21.152428] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libstardate.so', module='stardate' [2021-04-07T11:52:21.152619] Registering candidate plugin; module='stardate', context='template-func', name='stardate' [2021-04-07T11:52:21.152661] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', module='secure-logging' [2021-04-07T11:52:21.152746] Registering candidate plugin; module='secure-logging', context='template-func', name='slog' [2021-04-07T11:52:21.152760] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', module='pseudofile' [2021-04-07T11:52:21.152832] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile' [2021-04-07T11:52:21.152904] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', module='map-value-pairs' [2021-04-07T11:52:21.152989] Registering candidate plugin; module='map-value-pairs', context='parser', name='map_value_pairs' [2021-04-07T11:52:21.153005] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='liblinux-kmsg-format.so', module='linux-kmsg-format' [2021-04-07T11:52:21.153170] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg' [2021-04-07T11:52:21.153191] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', module='kvformat' [2021-04-07T11:52:21.153261] Registering candidate plugin; module='kvformat', context='parser', name='kv-parser' [2021-04-07T11:52:21.153265] Registering candidate plugin; module='kvformat', context='parser', name='linux-audit-parser' [2021-04-07T11:52:21.153268] Registering candidate plugin; module='kvformat', context='template-func', name='format-welf' [2021-04-07T11:52:21.153279] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', module='hook-commands' [2021-04-07T11:52:21.153339] Registering candidate plugin; module='hook-commands', context='inner-dest', name='hook-commands' [2021-04-07T11:52:21.153343] Registering candidate plugin; module='hook-commands', context='inner-src', name='hook-commands' [2021-04-07T11:52:21.153355] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', module='graphite' [2021-04-07T11:52:21.153408] Registering candidate plugin; module='graphite', context='template-func', name='graphite_output' [2021-04-07T11:52:21.153418] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', module='tfgetent' [2021-04-07T11:52:21.153468] Registering candidate plugin; module='tfgetent', context='template-func', name='getent' [2021-04-07T11:52:21.153479] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libexamples.so', module='examples' [2021-04-07T11:52:21.153646] Registering candidate plugin; module='examples', context='source', name='example_msg_generator' [2021-04-07T11:52:21.153654] Registering candidate plugin; module='examples', context='source', name='example_random_generator' [2021-04-07T11:52:21.153660] Registering candidate plugin; module='examples', context='source', name='example_diskq_source' [2021-04-07T11:52:21.153670] Registering candidate plugin; module='examples', context='inner-dest', name='http_test_slots' [2021-04-07T11:52:21.153677] Registering candidate plugin; module='examples', context='destination', name='example_destination' [2021-04-07T11:52:21.153722] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', module='disk-buffer' [2021-04-07T11:52:21.153825] Registering candidate plugin; module='disk-buffer', context='inner-dest', name='disk_buffer' [2021-04-07T11:52:21.153846] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', module='dbparser' [2021-04-07T11:52:21.154065] Registering candidate plugin; module='dbparser', context='parser', name='db-parser' [2021-04-07T11:52:21.154076] Registering candidate plugin; module='dbparser', context='parser', name='grouping-by' [2021-04-07T11:52:21.154100] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', module='timestamp' [2021-04-07T11:52:21.154260] Registering candidate plugin; module='timestamp', context='parser', name='date-parser' [2021-04-07T11:52:21.154267] Registering candidate plugin; module='timestamp', context='rewrite', name='fix-time-zone' [2021-04-07T11:52:21.154270] Registering candidate plugin; module='timestamp', context='rewrite', name='set-time-zone' [2021-04-07T11:52:21.154279] Registering candidate plugin; module='timestamp', context='rewrite', name='guess-time-zone' [2021-04-07T11:52:21.154296] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', module='csvparser' [2021-04-07T11:52:21.154366] Registering candidate plugin; module='csvparser', context='parser', name='csv-parser' [2021-04-07T11:52:21.154381] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', module='cryptofuncs' [2021-04-07T11:52:21.154452] Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid' [2021-04-07T11:52:21.154459] Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash' [2021-04-07T11:52:21.154657] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1' [2021-04-07T11:52:21.154662] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256' [2021-04-07T11:52:21.154665] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512' [2021-04-07T11:52:21.154667] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4' [2021-04-07T11:52:21.154673] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5' [2021-04-07T11:52:21.154689] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', module='confgen' [2021-04-07T11:52:21.154788] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef' [2021-04-07T11:52:21.154912] Registering candidate plugin; module='cef', context='template-func', name='format-cef-extension' [2021-04-07T11:52:21.154935] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', module='basicfuncs' [2021-04-07T11:52:21.155134] Registering candidate plugin; module='basicfuncs', context='template-func', name='grep' [2021-04-07T11:52:21.155142] Registering candidate plugin; module='basicfuncs', context='template-func', name='if' [2021-04-07T11:52:21.155145] Registering candidate plugin; module='basicfuncs', context='template-func', name='or' [2021-04-07T11:52:21.155148] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-lookup' [2021-04-07T11:52:21.155150] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length' [2021-04-07T11:52:21.155156] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-values' [2021-04-07T11:52:21.155158] Registering candidate plugin; module='basicfuncs', context='template-func', name='echo' [2021-04-07T11:52:21.155165] Registering candidate plugin; module='basicfuncs', context='template-func', name='length' [2021-04-07T11:52:21.155171] Registering candidate plugin; module='basicfuncs', context='template-func', name='substr' [2021-04-07T11:52:21.155173] Registering candidate plugin; module='basicfuncs', context='template-func', name='strip' [2021-04-07T11:52:21.155176] Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize' [2021-04-07T11:52:21.155178] Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase' [2021-04-07T11:52:21.155180] Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase' [2021-04-07T11:52:21.155183] Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter' [2021-04-07T11:52:21.155185] Registering candidate plugin; module='basicfuncs', context='template-func', name='padding' [2021-04-07T11:52:21.155201] Registering candidate plugin; module='basicfuncs', context='template-func', name='binary' [2021-04-07T11:52:21.155204] Registering candidate plugin; module='basicfuncs', context='template-func', name='implode' [2021-04-07T11:52:21.155207] Registering candidate plugin; module='basicfuncs', context='template-func', name='explode' [2021-04-07T11:52:21.155209] Registering candidate plugin; module='basicfuncs', context='template-func', name='dirname' [2021-04-07T11:52:21.155214] Registering candidate plugin; module='basicfuncs', context='template-func', name='basename' [2021-04-07T11:52:21.155217] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-concat' [2021-04-07T11:52:21.155219] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-head' [2021-04-07T11:52:21.155222] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-nth' [2021-04-07T11:52:21.155224] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-tail' [2021-04-07T11:52:21.155227] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-slice' [2021-04-07T11:52:21.155230] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-count' [2021-04-07T11:52:21.155232] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-append' [2021-04-07T11:52:21.155234] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-search' [2021-04-07T11:52:21.155237] Registering candidate plugin; module='basicfuncs', context='template-func', name='+' [2021-04-07T11:52:21.155239] Registering candidate plugin; module='basicfuncs', context='template-func', name='-' [2021-04-07T11:52:21.155241] Registering candidate plugin; module='basicfuncs', context='template-func', name='*' [2021-04-07T11:52:21.155243] Registering candidate plugin; module='basicfuncs', context='template-func', name='/' [2021-04-07T11:52:21.155245] Registering candidate plugin; module='basicfuncs', context='template-func', name='%' [2021-04-07T11:52:21.155248] Registering candidate plugin; module='basicfuncs', context='template-func', name='sum' [2021-04-07T11:52:21.155255] Registering candidate plugin; module='basicfuncs', context='template-func', name='min' [2021-04-07T11:52:21.155257] Registering candidate plugin; module='basicfuncs', context='template-func', name='max' [2021-04-07T11:52:21.155259] Registering candidate plugin; module='basicfuncs', context='template-func', name='average' [2021-04-07T11:52:21.155261] Registering candidate plugin; module='basicfuncs', context='template-func', name='round' [2021-04-07T11:52:21.155267] Registering candidate plugin; module='basicfuncs', context='template-func', name='ceil' [2021-04-07T11:52:21.155272] Registering candidate plugin; module='basicfuncs', context='template-func', name='floor' [2021-04-07T11:52:21.155275] Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int' [2021-04-07T11:52:21.155277] Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line' [2021-04-07T11:52:21.155279] Registering candidate plugin; module='basicfuncs', context='template-func', name='dns-resolve-ip' [2021-04-07T11:52:21.155281] Registering candidate plugin; module='basicfuncs', context='template-func', name='env' [2021-04-07T11:52:21.155284] Registering candidate plugin; module='basicfuncs', context='template-func', name='template' [2021-04-07T11:52:21.155286] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-encode' [2021-04-07T11:52:21.155288] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-decode' [2021-04-07T11:52:21.155291] Registering candidate plugin; module='basicfuncs', context='template-func', name='base64-encode' [2021-04-07T11:52:21.155294] Registering candidate plugin; module='basicfuncs', context='template-func', name='iterate' [2021-04-07T11:52:21.155297] Registering candidate plugin; module='basicfuncs', context='template-func', name='map' [2021-04-07T11:52:21.155300] Registering candidate plugin; module='basicfuncs', context='template-func', name='filter' [2021-04-07T11:52:21.155330] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libazure-auth-header.so', module='azure-auth-header' [2021-04-07T11:52:21.155422] Registering candidate plugin; module='azure-auth-header', context='inner-dest', name='azure-auth-header' [2021-04-07T11:52:21.155440] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', module='appmodel' [2021-04-07T11:52:21.155445] Registering candidate plugin; module='appmodel', context='root', name='application' [2021-04-07T11:52:21.155448] Registering candidate plugin; module='appmodel', context='parser', name='app-parser' [2021-04-07T11:52:21.155450] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafuser.so', module='afuser' [2021-04-07T11:52:21.155549] Registering candidate plugin; module='afuser', context='destination', name='usertty' [2021-04-07T11:52:21.155565] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', module='afstomp' [2021-04-07T11:52:21.155641] Registering candidate plugin; module='afstomp', context='destination', name='stomp' [2021-04-07T11:52:21.155653] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', module='afsocket' [2021-04-07T11:52:21.155816] Registering candidate plugin; module='afsocket', context='source', name='unix-stream' [2021-04-07T11:52:21.155821] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream' [2021-04-07T11:52:21.155824] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram' [2021-04-07T11:52:21.155827] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram' [2021-04-07T11:52:21.155829] Registering candidate plugin; module='afsocket', context='source', name='tcp' [2021-04-07T11:52:21.155832] Registering candidate plugin; module='afsocket', context='destination', name='tcp' [2021-04-07T11:52:21.155834] Registering candidate plugin; module='afsocket', context='source', name='tcp6' [2021-04-07T11:52:21.155837] Registering candidate plugin; module='afsocket', context='destination', name='tcp6' [2021-04-07T11:52:21.155839] Registering candidate plugin; module='afsocket', context='source', name='udp' [2021-04-07T11:52:21.155841] Registering candidate plugin; module='afsocket', context='destination', name='udp' [2021-04-07T11:52:21.155844] Registering candidate plugin; module='afsocket', context='source', name='udp6' [2021-04-07T11:52:21.155846] Registering candidate plugin; module='afsocket', context='destination', name='udp6' [2021-04-07T11:52:21.155857] Registering candidate plugin; module='afsocket', context='source', name='syslog' [2021-04-07T11:52:21.155860] Registering candidate plugin; module='afsocket', context='destination', name='syslog' [2021-04-07T11:52:21.155863] Registering candidate plugin; module='afsocket', context='source', name='network' [2021-04-07T11:52:21.155865] Registering candidate plugin; module='afsocket', context='destination', name='network' [2021-04-07T11:52:21.155867] Registering candidate plugin; module='afsocket', context='source', name='systemd-syslog' [2021-04-07T11:52:21.155886] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafprog.so', module='afprog' [2021-04-07T11:52:21.155979] Registering candidate plugin; module='afprog', context='source', name='program' [2021-04-07T11:52:21.155986] Registering candidate plugin; module='afprog', context='destination', name='program' [2021-04-07T11:52:21.156000] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libaffile.so', module='affile' [2021-04-07T11:52:21.156140] Registering candidate plugin; module='affile', context='source', name='file' [2021-04-07T11:52:21.156176] Registering candidate plugin; module='affile', context='source', name='pipe' [2021-04-07T11:52:21.156181] Registering candidate plugin; module='affile', context='source', name='wildcard_file' [2021-04-07T11:52:21.156184] Registering candidate plugin; module='affile', context='source', name='stdin' [2021-04-07T11:52:21.156187] Registering candidate plugin; module='affile', context='destination', name='file' [2021-04-07T11:52:21.156189] Registering candidate plugin; module='affile', context='destination', name='pipe' [2021-04-07T11:52:21.156209] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libadd-contextual-data.so', module='add-contextual-data' [2021-04-07T11:52:21.156308] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data' [2021-04-07T11:52:21.156434] Finishing include; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.156450] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156674] Finishing include; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156687] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156832] Finishing include; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156841] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156931] Finishing include; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156943] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157022] Finishing include; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157029] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157074] Finishing include; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157078] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157107] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1' [2021-04-07T11:52:21.157109] Finishing include; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157114] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157173] Finishing include; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157179] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157232] Finishing include; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157236] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157262] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1' [2021-04-07T11:52:21.157264] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157269] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157309] Global value changed; define='kafka-implementation', value='kafka-java' [2021-04-07T11:52:21.157328] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157336] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157375] Finishing include; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157379] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157493] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.157512] Finishing include; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157519] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157559] Finishing include; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157565] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157597] Included file was skipped because of a missing module; module='pacctformat', location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1' [2021-04-07T11:52:21.157600] Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157605] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157905] Finishing include; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157919] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.157969] Global value changed; define='balabit.credit-card-regexp', value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})' [2021-04-07T11:52:21.157998] Finishing include; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.158007] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158073] Finishing include; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158079] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158120] Finishing include; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158131] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161593] Finishing include; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161620] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161724] Finishing include; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161729] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161803] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.161808] Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161815] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161853] Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161860] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161951] Finishing include; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161964] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162008] Finishing include; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162024] Global value changed; define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules' [2021-04-07T11:52:21.162028] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.162157] Module loaded and initialized successfully; module='system-source' [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log device; device='/dev/kmsg', format='linux-kmsg' [2021-04-07T11:52:21.162403] Module loaded and initialized successfully; module='afsocket' [2021-04-07T11:52:21.162936] Module loaded and initialized successfully; module='affile' [2021-04-07T11:52:21.163175] Module loaded and initialized successfully; module='kvformat' [2021-04-07T11:52:21.163192] Finishing include; content='block parser iptables-parser() at /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3' [2021-04-07T11:52:21.163568] Module loaded and initialized successfully; module='csvparser' [2021-04-07T11:52:21.164457] Finishing include; content='block parser panos-parser() at /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3' [2021-04-07T11:52:21.164880] Module loaded and initialized successfully; module='basicfuncs' [2021-04-07T11:52:21.164936] Finishing include; content='block parser sudo-parser() at /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3' [2021-04-07T11:52:21.164995] Finishing include; content='parser generator app-parser', depth='2' [2021-04-07T11:52:21.165016] Finishing include; content='source generator system', depth='1' [2021-04-07T11:52:21.165525] Module loaded and initialized successfully; module='syslogformat' [2021-04-07T11:52:21.165711] Module loaded and initialized successfully; module='linux-kmsg-format' [2021-04-07T11:52:21.165966] Running application hooks; hook='1' [2021-04-07T11:52:21.165971] Running application hooks; hook='6' [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1' [2021-04-07T11:52:21.165989] Running application hooks; hook='2' [2021-04-07T11:52:39.961046] Running application hooks; hook='3' [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1' [2021-04-07T11:52:40.061679] Running application hooks; hook='4'
----------------------------------------------------------------------------- On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
can you start syslog-ng in the foreground and look at the startup messages?
e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:
# /usr/sbin/syslog-ng -Fedv
This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.
Cheers, Bazsi
On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> <dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log);
flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
Hello,
The order in the configuration matters. log { source(src); destination(console); filter(syslog); }; The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void The filter recieves messages only after destination, if you switch filter and destination it should be fine.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> <dan@newideatest.site> Sent: 07 April 2021 07:17 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not honoring negative flag
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I'm having a bit of a problem and hope someone here can help. I'm trying to separate individual items into specific logs, i.e. ssh events in sshd.log, samba messages in samba.log, etc...
I managed to come up with filters that pull out the events I started with, and they are going into the correct log files. But they are ALSO going into /var/log/messages even though I specifically have a filter on that one that says not to include samba or sshd events. I'll copy my config file here. Hopefully someone can tell me what I did wrong.
Thanks!
--------------------------------------------- @version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); ); log { source(src); destination(sshd_log); filter(ssh_messages); flags(final); }; log { source(src); destination(console); filter(syslog); }; log { source(src); destination(messages); filter(syslog); };
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Okay. I captured a couple of minutes worth of syslog-ng running. It's too big to post (1.5MB) so I put it up on my web server. You can see it at: https://www.newideatest.site/syslog-out On 4/7/2021 12:07 PM, SZIGETVÁRI János wrote:
Hello Dan,
I believe that Bazsi (Balázs) wasn't really looking for the startup messages about the config being parsed, but instead about the debug/trace output of the log processing pipeline. There he would be able to check which filters were run against a certain message (its actual content too), and what result those filters returned. I think that's what he's primarily after.
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari <http://linkedin.com/in/janosszigetvari> Web: janos.szigetvari.com <https://janos.szigetvari.com>
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Dan Egli <dan@newideatest.site> ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):
Syslog-ng is NOT complaining about my config at all. I've included the output from the -Fedv below. Other than what I would call "routine" errors in the scl section, no complaints.
--------------------------------- [2021-04-07T11:52:21.151347] Processing @include statement; filename='scl.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151420] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.151596] Module loaded and initialized successfully; module='appmodel' [2021-04-07T11:52:21.151612] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151782] Adding include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151787] Adding include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.151790] Adding include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.151792] Adding include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.151794] Adding include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.151797] Adding include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.151799] Adding include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.151802] Adding include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.151804] Adding include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.151807] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.151809] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.151811] Adding include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.151814] Adding include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.151816] Adding include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.151819] Adding include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.151821] Adding include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.151824] Adding include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.151826] Adding include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.151906] Adding include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.151912] Adding include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.151915] Adding include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.151917] Adding include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.151920] Adding include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.151922] Adding include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.151925] Adding include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.151933] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151993] Reading path for candidate modules; path='/usr/lib64/syslog-ng' [2021-04-07T11:52:21.152064] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml' [2021-04-07T11:52:21.152174] Registering candidate plugin; module='xml', context='parser', name='xml' [2021-04-07T11:52:21.152200] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', module='tags-parser' [2021-04-07T11:52:21.152263] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser' [2021-04-07T11:52:21.152277] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', module='system-source' [2021-04-07T11:52:21.152336] Registering candidate plugin; module='system-source', context='source', name='system' [2021-04-07T11:52:21.152349] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', module='syslogformat' [2021-04-07T11:52:21.152414] Registering candidate plugin; module='syslogformat', context='format', name='syslog' [2021-04-07T11:52:21.152417] Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser' [2021-04-07T11:52:21.152428] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libstardate.so', module='stardate' [2021-04-07T11:52:21.152619] Registering candidate plugin; module='stardate', context='template-func', name='stardate' [2021-04-07T11:52:21.152661] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', module='secure-logging' [2021-04-07T11:52:21.152746] Registering candidate plugin; module='secure-logging', context='template-func', name='slog' [2021-04-07T11:52:21.152760] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', module='pseudofile' [2021-04-07T11:52:21.152832] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile' [2021-04-07T11:52:21.152904] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', module='map-value-pairs' [2021-04-07T11:52:21.152989] Registering candidate plugin; module='map-value-pairs', context='parser', name='map_value_pairs' [2021-04-07T11:52:21.153005] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='liblinux-kmsg-format.so', module='linux-kmsg-format' [2021-04-07T11:52:21.153170] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg' [2021-04-07T11:52:21.153191] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', module='kvformat' [2021-04-07T11:52:21.153261] Registering candidate plugin; module='kvformat', context='parser', name='kv-parser' [2021-04-07T11:52:21.153265] Registering candidate plugin; module='kvformat', context='parser', name='linux-audit-parser' [2021-04-07T11:52:21.153268] Registering candidate plugin; module='kvformat', context='template-func', name='format-welf' [2021-04-07T11:52:21.153279] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', module='hook-commands' [2021-04-07T11:52:21.153339] Registering candidate plugin; module='hook-commands', context='inner-dest', name='hook-commands' [2021-04-07T11:52:21.153343] Registering candidate plugin; module='hook-commands', context='inner-src', name='hook-commands' [2021-04-07T11:52:21.153355] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', module='graphite' [2021-04-07T11:52:21.153408] Registering candidate plugin; module='graphite', context='template-func', name='graphite_output' [2021-04-07T11:52:21.153418] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', module='tfgetent' [2021-04-07T11:52:21.153468] Registering candidate plugin; module='tfgetent', context='template-func', name='getent' [2021-04-07T11:52:21.153479] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libexamples.so', module='examples' [2021-04-07T11:52:21.153646] Registering candidate plugin; module='examples', context='source', name='example_msg_generator' [2021-04-07T11:52:21.153654] Registering candidate plugin; module='examples', context='source', name='example_random_generator' [2021-04-07T11:52:21.153660] Registering candidate plugin; module='examples', context='source', name='example_diskq_source' [2021-04-07T11:52:21.153670] Registering candidate plugin; module='examples', context='inner-dest', name='http_test_slots' [2021-04-07T11:52:21.153677] Registering candidate plugin; module='examples', context='destination', name='example_destination' [2021-04-07T11:52:21.153722] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', module='disk-buffer' [2021-04-07T11:52:21.153825] Registering candidate plugin; module='disk-buffer', context='inner-dest', name='disk_buffer' [2021-04-07T11:52:21.153846] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', module='dbparser' [2021-04-07T11:52:21.154065] Registering candidate plugin; module='dbparser', context='parser', name='db-parser' [2021-04-07T11:52:21.154076] Registering candidate plugin; module='dbparser', context='parser', name='grouping-by' [2021-04-07T11:52:21.154100] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', module='timestamp' [2021-04-07T11:52:21.154260] Registering candidate plugin; module='timestamp', context='parser', name='date-parser' [2021-04-07T11:52:21.154267] Registering candidate plugin; module='timestamp', context='rewrite', name='fix-time-zone' [2021-04-07T11:52:21.154270] Registering candidate plugin; module='timestamp', context='rewrite', name='set-time-zone' [2021-04-07T11:52:21.154279] Registering candidate plugin; module='timestamp', context='rewrite', name='guess-time-zone' [2021-04-07T11:52:21.154296] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', module='csvparser' [2021-04-07T11:52:21.154366] Registering candidate plugin; module='csvparser', context='parser', name='csv-parser' [2021-04-07T11:52:21.154381] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', module='cryptofuncs' [2021-04-07T11:52:21.154452] Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid' [2021-04-07T11:52:21.154459] Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash' [2021-04-07T11:52:21.154657] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1' [2021-04-07T11:52:21.154662] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256' [2021-04-07T11:52:21.154665] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512' [2021-04-07T11:52:21.154667] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4' [2021-04-07T11:52:21.154673] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5' [2021-04-07T11:52:21.154689] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', module='confgen' [2021-04-07T11:52:21.154788] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef' [2021-04-07T11:52:21.154912] Registering candidate plugin; module='cef', context='template-func', name='format-cef-extension' [2021-04-07T11:52:21.154935] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', module='basicfuncs' [2021-04-07T11:52:21.155134] Registering candidate plugin; module='basicfuncs', context='template-func', name='grep' [2021-04-07T11:52:21.155142] Registering candidate plugin; module='basicfuncs', context='template-func', name='if' [2021-04-07T11:52:21.155145] Registering candidate plugin; module='basicfuncs', context='template-func', name='or' [2021-04-07T11:52:21.155148] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-lookup' [2021-04-07T11:52:21.155150] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length' [2021-04-07T11:52:21.155156] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-values' [2021-04-07T11:52:21.155158] Registering candidate plugin; module='basicfuncs', context='template-func', name='echo' [2021-04-07T11:52:21.155165] Registering candidate plugin; module='basicfuncs', context='template-func', name='length' [2021-04-07T11:52:21.155171] Registering candidate plugin; module='basicfuncs', context='template-func', name='substr' [2021-04-07T11:52:21.155173] Registering candidate plugin; module='basicfuncs', context='template-func', name='strip' [2021-04-07T11:52:21.155176] Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize' [2021-04-07T11:52:21.155178] Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase' [2021-04-07T11:52:21.155180] Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase' [2021-04-07T11:52:21.155183] Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter' [2021-04-07T11:52:21.155185] Registering candidate plugin; module='basicfuncs', context='template-func', name='padding' [2021-04-07T11:52:21.155201] Registering candidate plugin; module='basicfuncs', context='template-func', name='binary' [2021-04-07T11:52:21.155204] Registering candidate plugin; module='basicfuncs', context='template-func', name='implode' [2021-04-07T11:52:21.155207] Registering candidate plugin; module='basicfuncs', context='template-func', name='explode' [2021-04-07T11:52:21.155209] Registering candidate plugin; module='basicfuncs', context='template-func', name='dirname' [2021-04-07T11:52:21.155214] Registering candidate plugin; module='basicfuncs', context='template-func', name='basename' [2021-04-07T11:52:21.155217] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-concat' [2021-04-07T11:52:21.155219] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-head' [2021-04-07T11:52:21.155222] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-nth' [2021-04-07T11:52:21.155224] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-tail' [2021-04-07T11:52:21.155227] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-slice' [2021-04-07T11:52:21.155230] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-count' [2021-04-07T11:52:21.155232] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-append' [2021-04-07T11:52:21.155234] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-search' [2021-04-07T11:52:21.155237] Registering candidate plugin; module='basicfuncs', context='template-func', name='+' [2021-04-07T11:52:21.155239] Registering candidate plugin; module='basicfuncs', context='template-func', name='-' [2021-04-07T11:52:21.155241] Registering candidate plugin; module='basicfuncs', context='template-func', name='*' [2021-04-07T11:52:21.155243] Registering candidate plugin; module='basicfuncs', context='template-func', name='/' [2021-04-07T11:52:21.155245] Registering candidate plugin; module='basicfuncs', context='template-func', name='%' [2021-04-07T11:52:21.155248] Registering candidate plugin; module='basicfuncs', context='template-func', name='sum' [2021-04-07T11:52:21.155255] Registering candidate plugin; module='basicfuncs', context='template-func', name='min' [2021-04-07T11:52:21.155257] Registering candidate plugin; module='basicfuncs', context='template-func', name='max' [2021-04-07T11:52:21.155259] Registering candidate plugin; module='basicfuncs', context='template-func', name='average' [2021-04-07T11:52:21.155261] Registering candidate plugin; module='basicfuncs', context='template-func', name='round' [2021-04-07T11:52:21.155267] Registering candidate plugin; module='basicfuncs', context='template-func', name='ceil' [2021-04-07T11:52:21.155272] Registering candidate plugin; module='basicfuncs', context='template-func', name='floor' [2021-04-07T11:52:21.155275] Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int' [2021-04-07T11:52:21.155277] Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line' [2021-04-07T11:52:21.155279] Registering candidate plugin; module='basicfuncs', context='template-func', name='dns-resolve-ip' [2021-04-07T11:52:21.155281] Registering candidate plugin; module='basicfuncs', context='template-func', name='env' [2021-04-07T11:52:21.155284] Registering candidate plugin; module='basicfuncs', context='template-func', name='template' [2021-04-07T11:52:21.155286] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-encode' [2021-04-07T11:52:21.155288] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-decode' [2021-04-07T11:52:21.155291] Registering candidate plugin; module='basicfuncs', context='template-func', name='base64-encode' [2021-04-07T11:52:21.155294] Registering candidate plugin; module='basicfuncs', context='template-func', name='iterate' [2021-04-07T11:52:21.155297] Registering candidate plugin; module='basicfuncs', context='template-func', name='map' [2021-04-07T11:52:21.155300] Registering candidate plugin; module='basicfuncs', context='template-func', name='filter' [2021-04-07T11:52:21.155330] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libazure-auth-header.so', module='azure-auth-header' [2021-04-07T11:52:21.155422] Registering candidate plugin; module='azure-auth-header', context='inner-dest', name='azure-auth-header' [2021-04-07T11:52:21.155440] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', module='appmodel' [2021-04-07T11:52:21.155445] Registering candidate plugin; module='appmodel', context='root', name='application' [2021-04-07T11:52:21.155448] Registering candidate plugin; module='appmodel', context='parser', name='app-parser' [2021-04-07T11:52:21.155450] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafuser.so', module='afuser' [2021-04-07T11:52:21.155549] Registering candidate plugin; module='afuser', context='destination', name='usertty' [2021-04-07T11:52:21.155565] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', module='afstomp' [2021-04-07T11:52:21.155641] Registering candidate plugin; module='afstomp', context='destination', name='stomp' [2021-04-07T11:52:21.155653] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', module='afsocket' [2021-04-07T11:52:21.155816] Registering candidate plugin; module='afsocket', context='source', name='unix-stream' [2021-04-07T11:52:21.155821] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream' [2021-04-07T11:52:21.155824] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram' [2021-04-07T11:52:21.155827] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram' [2021-04-07T11:52:21.155829] Registering candidate plugin; module='afsocket', context='source', name='tcp' [2021-04-07T11:52:21.155832] Registering candidate plugin; module='afsocket', context='destination', name='tcp' [2021-04-07T11:52:21.155834] Registering candidate plugin; module='afsocket', context='source', name='tcp6' [2021-04-07T11:52:21.155837] Registering candidate plugin; module='afsocket', context='destination', name='tcp6' [2021-04-07T11:52:21.155839] Registering candidate plugin; module='afsocket', context='source', name='udp' [2021-04-07T11:52:21.155841] Registering candidate plugin; module='afsocket', context='destination', name='udp' [2021-04-07T11:52:21.155844] Registering candidate plugin; module='afsocket', context='source', name='udp6' [2021-04-07T11:52:21.155846] Registering candidate plugin; module='afsocket', context='destination', name='udp6' [2021-04-07T11:52:21.155857] Registering candidate plugin; module='afsocket', context='source', name='syslog' [2021-04-07T11:52:21.155860] Registering candidate plugin; module='afsocket', context='destination', name='syslog' [2021-04-07T11:52:21.155863] Registering candidate plugin; module='afsocket', context='source', name='network' [2021-04-07T11:52:21.155865] Registering candidate plugin; module='afsocket', context='destination', name='network' [2021-04-07T11:52:21.155867] Registering candidate plugin; module='afsocket', context='source', name='systemd-syslog' [2021-04-07T11:52:21.155886] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafprog.so', module='afprog' [2021-04-07T11:52:21.155979] Registering candidate plugin; module='afprog', context='source', name='program' [2021-04-07T11:52:21.155986] Registering candidate plugin; module='afprog', context='destination', name='program' [2021-04-07T11:52:21.156000] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libaffile.so', module='affile' [2021-04-07T11:52:21.156140] Registering candidate plugin; module='affile', context='source', name='file' [2021-04-07T11:52:21.156176] Registering candidate plugin; module='affile', context='source', name='pipe' [2021-04-07T11:52:21.156181] Registering candidate plugin; module='affile', context='source', name='wildcard_file' [2021-04-07T11:52:21.156184] Registering candidate plugin; module='affile', context='source', name='stdin' [2021-04-07T11:52:21.156187] Registering candidate plugin; module='affile', context='destination', name='file' [2021-04-07T11:52:21.156189] Registering candidate plugin; module='affile', context='destination', name='pipe' [2021-04-07T11:52:21.156209] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libadd-contextual-data.so', module='add-contextual-data' [2021-04-07T11:52:21.156308] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data' [2021-04-07T11:52:21.156434] Finishing include; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.156450] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156674] Finishing include; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156687] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156832] Finishing include; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156841] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156931] Finishing include; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156943] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157022] Finishing include; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157029] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157074] Finishing include; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157078] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157107] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1' [2021-04-07T11:52:21.157109] Finishing include; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157114] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157173] Finishing include; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157179] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157232] Finishing include; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157236] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157262] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1' [2021-04-07T11:52:21.157264] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157269] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157309] Global value changed; define='kafka-implementation', value='kafka-java' [2021-04-07T11:52:21.157328] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157336] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157375] Finishing include; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157379] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157493] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.157512] Finishing include; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157519] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157559] Finishing include; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157565] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157597] Included file was skipped because of a missing module; module='pacctformat', location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1' [2021-04-07T11:52:21.157600] Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157605] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157905] Finishing include; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157919] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.157969] Global value changed; define='balabit.credit-card-regexp', value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})' [2021-04-07T11:52:21.157998] Finishing include; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.158007] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158073] Finishing include; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158079] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158120] Finishing include; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158131] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161593] Finishing include; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161620] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161724] Finishing include; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161729] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161803] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.161808] Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161815] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161853] Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161860] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161951] Finishing include; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161964] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162008] Finishing include; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162024] Global value changed; define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules' [2021-04-07T11:52:21.162028] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.162157] Module loaded and initialized successfully; module='system-source' [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log device; device='/dev/kmsg', format='linux-kmsg' [2021-04-07T11:52:21.162403] Module loaded and initialized successfully; module='afsocket' [2021-04-07T11:52:21.162936] Module loaded and initialized successfully; module='affile' [2021-04-07T11:52:21.163175] Module loaded and initialized successfully; module='kvformat' [2021-04-07T11:52:21.163192] Finishing include; content='block parser iptables-parser() at /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3' [2021-04-07T11:52:21.163568] Module loaded and initialized successfully; module='csvparser' [2021-04-07T11:52:21.164457] Finishing include; content='block parser panos-parser() at /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3' [2021-04-07T11:52:21.164880] Module loaded and initialized successfully; module='basicfuncs' [2021-04-07T11:52:21.164936] Finishing include; content='block parser sudo-parser() at /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3' [2021-04-07T11:52:21.164995] Finishing include; content='parser generator app-parser', depth='2' [2021-04-07T11:52:21.165016] Finishing include; content='source generator system', depth='1' [2021-04-07T11:52:21.165525] Module loaded and initialized successfully; module='syslogformat' [2021-04-07T11:52:21.165711] Module loaded and initialized successfully; module='linux-kmsg-format' [2021-04-07T11:52:21.165966] Running application hooks; hook='1' [2021-04-07T11:52:21.165971] Running application hooks; hook='6' [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1' [2021-04-07T11:52:21.165989] Running application hooks; hook='2' [2021-04-07T11:52:39.961046] Running application hooks; hook='3' [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1' [2021-04-07T11:52:40.061679] Running application hooks; hook='4' -----------------------------------------------------------------------------
On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
can you start syslog-ng in the foreground and look at the startup messages?
e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:
# /usr/sbin/syslog-ng -Fedv
This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.
Cheers, Bazsi
On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ______________________________________________________________________________ > Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> > ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Dan, The next important question is that do you see all sshd log messages in /var/log/messages or just some of them. I see two kind of sshd related log message: [2021-04-07T12:29:43.875056] Incoming log entry; line='<38>Apr 7 12:29:43 sshd[30745]: Accepted keyboard-interactive/pam for dan from XXXX port 40747 ssh2' [2021-04-07T12:29:43.878136] Incoming log entry; line='<86>Apr 7 12:29:43 sshd[30745]: pam_unix(sshd:session): session opened for user dan(uid=1001) by (uid=0)' As the two has different values in <>, at least one of them is differ from auth/info. By the way <38> is security(4)/info and <86> is security(10)/info. So both are security/auth message in some way but still different facilities (4 and 6) which is called as auth(4) and authpriv(10) within syslog-ng. On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:
Okay. I captured a couple of minutes worth of syslog-ng running. It's too big to post (1.5MB) so I put it up on my web server. You can see it at: https://www.newideatest.site/syslog-out On 4/7/2021 12:07 PM, SZIGETVÁRI János wrote:
Hello Dan,
I believe that Bazsi (Balázs) wasn't really looking for the startup messages about the config being parsed, but instead about the debug/trace output of the log processing pipeline. There he would be able to check which filters were run against a certain message (its actual content too), and what result those filters returned. I think that's what he's primarily after.
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692
LinkedIn: linkedin.com/in/janosszigetvari Web: janos.szigetvari.com
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Dan Egli <dan@newideatest.site> ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):
Syslog-ng is NOT complaining about my config at all. I've included the output from the -Fedv below. Other than what I would call "routine" errors in the scl section, no complaints. --------------------------------- [2021-04-07T11:52:21.151347] Processing @include statement; filename='scl.conf', include-path='/etc/syslog- ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151420] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.151596] Module loaded and initialized successfully; module='appmodel' [2021-04-07T11:52:21.151612] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog- ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151782] Adding include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151787] Adding include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.151790] Adding include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.151792] Adding include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.151794] Adding include file; filename='/usr/share/syslog-ng/include/scl/default-network- drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.151797] Adding include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.151799] Adding include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.151802] Adding include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.151804] Adding include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.151807] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.151809] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.151811] Adding include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux- audit.conf', depth='2' [2021-04-07T11:52:21.151814] Adding include file; filename='/usr/share/syslog- ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.151816] Adding include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.151819] Adding include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.151821] Adding include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.151824] Adding include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.151826] Adding include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd- source.conf', depth='2' [2021-04-07T11:52:21.151906] Adding include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.151912] Adding include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.151915] Adding include file; filename='/usr/share/syslog- ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.151917] Adding include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.151920] Adding include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.151922] Adding include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.151925] Adding include file; filename='/usr/share/syslog- ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.151933] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151993] Reading path for candidate modules; path='/usr/lib64/syslog-ng' [2021-04-07T11:52:21.152064] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml' [2021-04-07T11:52:21.152174] Registering candidate plugin; module='xml', context='parser', name='xml' [2021-04-07T11:52:21.152200] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', module='tags-parser' [2021-04-07T11:52:21.152263] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser' [2021-04-07T11:52:21.152277] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', module='system-source' [2021-04-07T11:52:21.152336] Registering candidate plugin; module='system-source', context='source', name='system' [2021-04-07T11:52:21.152349] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', module='syslogformat' [2021-04-07T11:52:21.152414] Registering candidate plugin; module='syslogformat', context='format', name='syslog' [2021-04-07T11:52:21.152417] Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser' [2021-04-07T11:52:21.152428] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libstardate.so', module='stardate' [2021-04-07T11:52:21.152619] Registering candidate plugin; module='stardate', context='template-func', name='stardate' [2021-04-07T11:52:21.152661] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', module='secure-logging' [2021-04-07T11:52:21.152746] Registering candidate plugin; module='secure-logging', context='template-func', name='slog' [2021-04-07T11:52:21.152760] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', module='pseudofile' [2021-04-07T11:52:21.152832] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile' [2021-04-07T11:52:21.152904] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', module='map-value-pairs' [2021-04-07T11:52:21.152989] Registering candidate plugin; module='map-value-pairs', context='parser', name='map_value_pairs' [2021-04-07T11:52:21.153005] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='liblinux-kmsg- format.so', module='linux-kmsg-format' [2021-04-07T11:52:21.153170] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg' [2021-04-07T11:52:21.153191] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', module='kvformat' [2021-04-07T11:52:21.153261] Registering candidate plugin; module='kvformat', context='parser', name='kv-parser' [2021-04-07T11:52:21.153265] Registering candidate plugin; module='kvformat', context='parser', name='linux-audit-parser' [2021-04-07T11:52:21.153268] Registering candidate plugin; module='kvformat', context='template-func', name='format-welf' [2021-04-07T11:52:21.153279] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', module='hook-commands' [2021-04-07T11:52:21.153339] Registering candidate plugin; module='hook-commands', context='inner-dest', name='hook-commands' [2021-04-07T11:52:21.153343] Registering candidate plugin; module='hook-commands', context='inner-src', name='hook-commands' [2021-04-07T11:52:21.153355] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', module='graphite' [2021-04-07T11:52:21.153408] Registering candidate plugin; module='graphite', context='template-func', name='graphite_output' [2021-04-07T11:52:21.153418] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', module='tfgetent' [2021-04-07T11:52:21.153468] Registering candidate plugin; module='tfgetent', context='template-func', name='getent' [2021-04-07T11:52:21.153479] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libexamples.so', module='examples' [2021-04-07T11:52:21.153646] Registering candidate plugin; module='examples', context='source', name='example_msg_generator' [2021-04-07T11:52:21.153654] Registering candidate plugin; module='examples', context='source', name='example_random_generator' [2021-04-07T11:52:21.153660] Registering candidate plugin; module='examples', context='source', name='example_diskq_source' [2021-04-07T11:52:21.153670] Registering candidate plugin; module='examples', context='inner-dest', name='http_test_slots' [2021-04-07T11:52:21.153677] Registering candidate plugin; module='examples', context='destination', name='example_destination' [2021-04-07T11:52:21.153722] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', module='disk-buffer' [2021-04-07T11:52:21.153825] Registering candidate plugin; module='disk-buffer', context='inner-dest', name='disk_buffer' [2021-04-07T11:52:21.153846] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', module='dbparser' [2021-04-07T11:52:21.154065] Registering candidate plugin; module='dbparser', context='parser', name='db-parser' [2021-04-07T11:52:21.154076] Registering candidate plugin; module='dbparser', context='parser', name='grouping-by' [2021-04-07T11:52:21.154100] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', module='timestamp' [2021-04-07T11:52:21.154260] Registering candidate plugin; module='timestamp', context='parser', name='date-parser' [2021-04-07T11:52:21.154267] Registering candidate plugin; module='timestamp', context='rewrite', name='fix-time-zone' [2021-04-07T11:52:21.154270] Registering candidate plugin; module='timestamp', context='rewrite', name='set-time-zone' [2021-04-07T11:52:21.154279] Registering candidate plugin; module='timestamp', context='rewrite', name='guess-time-zone' [2021-04-07T11:52:21.154296] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', module='csvparser' [2021-04-07T11:52:21.154366] Registering candidate plugin; module='csvparser', context='parser', name='csv-parser' [2021-04-07T11:52:21.154381] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', module='cryptofuncs' [2021-04-07T11:52:21.154452] Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid' [2021-04-07T11:52:21.154459] Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash' [2021-04-07T11:52:21.154657] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1' [2021-04-07T11:52:21.154662] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256' [2021-04-07T11:52:21.154665] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512' [2021-04-07T11:52:21.154667] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4' [2021-04-07T11:52:21.154673] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5' [2021-04-07T11:52:21.154689] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', module='confgen' [2021-04-07T11:52:21.154788] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef' [2021-04-07T11:52:21.154912] Registering candidate plugin; module='cef', context='template-func', name='format-cef-extension' [2021-04-07T11:52:21.154935] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', module='basicfuncs' [2021-04-07T11:52:21.155134] Registering candidate plugin; module='basicfuncs', context='template-func', name='grep' [2021-04-07T11:52:21.155142] Registering candidate plugin; module='basicfuncs', context='template-func', name='if' [2021-04-07T11:52:21.155145] Registering candidate plugin; module='basicfuncs', context='template-func', name='or' [2021-04-07T11:52:21.155148] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-lookup' [2021-04-07T11:52:21.155150] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length' [2021-04-07T11:52:21.155156] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-values' [2021-04-07T11:52:21.155158] Registering candidate plugin; module='basicfuncs', context='template-func', name='echo' [2021-04-07T11:52:21.155165] Registering candidate plugin; module='basicfuncs', context='template-func', name='length' [2021-04-07T11:52:21.155171] Registering candidate plugin; module='basicfuncs', context='template-func', name='substr' [2021-04-07T11:52:21.155173] Registering candidate plugin; module='basicfuncs', context='template-func', name='strip' [2021-04-07T11:52:21.155176] Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize' [2021-04-07T11:52:21.155178] Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase' [2021-04-07T11:52:21.155180] Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase' [2021-04-07T11:52:21.155183] Registering candidate plugin; module='basicfuncs', context='template-func', name='replace- delimiter' [2021-04-07T11:52:21.155185] Registering candidate plugin; module='basicfuncs', context='template-func', name='padding' [2021-04-07T11:52:21.155201] Registering candidate plugin; module='basicfuncs', context='template-func', name='binary' [2021-04-07T11:52:21.155204] Registering candidate plugin; module='basicfuncs', context='template-func', name='implode' [2021-04-07T11:52:21.155207] Registering candidate plugin; module='basicfuncs', context='template-func', name='explode' [2021-04-07T11:52:21.155209] Registering candidate plugin; module='basicfuncs', context='template-func', name='dirname' [2021-04-07T11:52:21.155214] Registering candidate plugin; module='basicfuncs', context='template-func', name='basename' [2021-04-07T11:52:21.155217] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-concat' [2021-04-07T11:52:21.155219] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-head' [2021-04-07T11:52:21.155222] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-nth' [2021-04-07T11:52:21.155224] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-tail' [2021-04-07T11:52:21.155227] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-slice' [2021-04-07T11:52:21.155230] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-count' [2021-04-07T11:52:21.155232] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-append' [2021-04-07T11:52:21.155234] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-search' [2021-04-07T11:52:21.155237] Registering candidate plugin; module='basicfuncs', context='template-func', name='+' [2021-04-07T11:52:21.155239] Registering candidate plugin; module='basicfuncs', context='template-func', name='-' [2021-04-07T11:52:21.155241] Registering candidate plugin; module='basicfuncs', context='template-func', name='*' [2021-04-07T11:52:21.155243] Registering candidate plugin; module='basicfuncs', context='template-func', name='/' [2021-04-07T11:52:21.155245] Registering candidate plugin; module='basicfuncs', context='template-func', name='%' [2021-04-07T11:52:21.155248] Registering candidate plugin; module='basicfuncs', context='template-func', name='sum' [2021-04-07T11:52:21.155255] Registering candidate plugin; module='basicfuncs', context='template-func', name='min' [2021-04-07T11:52:21.155257] Registering candidate plugin; module='basicfuncs', context='template-func', name='max' [2021-04-07T11:52:21.155259] Registering candidate plugin; module='basicfuncs', context='template-func', name='average' [2021-04-07T11:52:21.155261] Registering candidate plugin; module='basicfuncs', context='template-func', name='round' [2021-04-07T11:52:21.155267] Registering candidate plugin; module='basicfuncs', context='template-func', name='ceil' [2021-04-07T11:52:21.155272] Registering candidate plugin; module='basicfuncs', context='template-func', name='floor' [2021-04-07T11:52:21.155275] Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int' [2021-04-07T11:52:21.155277] Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi- line' [2021-04-07T11:52:21.155279] Registering candidate plugin; module='basicfuncs', context='template-func', name='dns-resolve-ip' [2021-04-07T11:52:21.155281] Registering candidate plugin; module='basicfuncs', context='template-func', name='env' [2021-04-07T11:52:21.155284] Registering candidate plugin; module='basicfuncs', context='template-func', name='template' [2021-04-07T11:52:21.155286] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-encode' [2021-04-07T11:52:21.155288] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-decode' [2021-04-07T11:52:21.155291] Registering candidate plugin; module='basicfuncs', context='template-func', name='base64-encode' [2021-04-07T11:52:21.155294] Registering candidate plugin; module='basicfuncs', context='template-func', name='iterate' [2021-04-07T11:52:21.155297] Registering candidate plugin; module='basicfuncs', context='template-func', name='map' [2021-04-07T11:52:21.155300] Registering candidate plugin; module='basicfuncs', context='template-func', name='filter' [2021-04-07T11:52:21.155330] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libazure-auth- header.so', module='azure-auth-header' [2021-04-07T11:52:21.155422] Registering candidate plugin; module='azure-auth-header', context='inner-dest', name='azure-auth- header' [2021-04-07T11:52:21.155440] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', module='appmodel' [2021-04-07T11:52:21.155445] Registering candidate plugin; module='appmodel', context='root', name='application' [2021-04-07T11:52:21.155448] Registering candidate plugin; module='appmodel', context='parser', name='app-parser' [2021-04-07T11:52:21.155450] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafuser.so', module='afuser' [2021-04-07T11:52:21.155549] Registering candidate plugin; module='afuser', context='destination', name='usertty' [2021-04-07T11:52:21.155565] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', module='afstomp' [2021-04-07T11:52:21.155641] Registering candidate plugin; module='afstomp', context='destination', name='stomp' [2021-04-07T11:52:21.155653] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', module='afsocket' [2021-04-07T11:52:21.155816] Registering candidate plugin; module='afsocket', context='source', name='unix-stream' [2021-04-07T11:52:21.155821] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream' [2021-04-07T11:52:21.155824] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram' [2021-04-07T11:52:21.155827] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram' [2021-04-07T11:52:21.155829] Registering candidate plugin; module='afsocket', context='source', name='tcp' [2021-04-07T11:52:21.155832] Registering candidate plugin; module='afsocket', context='destination', name='tcp' [2021-04-07T11:52:21.155834] Registering candidate plugin; module='afsocket', context='source', name='tcp6' [2021-04-07T11:52:21.155837] Registering candidate plugin; module='afsocket', context='destination', name='tcp6' [2021-04-07T11:52:21.155839] Registering candidate plugin; module='afsocket', context='source', name='udp' [2021-04-07T11:52:21.155841] Registering candidate plugin; module='afsocket', context='destination', name='udp' [2021-04-07T11:52:21.155844] Registering candidate plugin; module='afsocket', context='source', name='udp6' [2021-04-07T11:52:21.155846] Registering candidate plugin; module='afsocket', context='destination', name='udp6' [2021-04-07T11:52:21.155857] Registering candidate plugin; module='afsocket', context='source', name='syslog' [2021-04-07T11:52:21.155860] Registering candidate plugin; module='afsocket', context='destination', name='syslog' [2021-04-07T11:52:21.155863] Registering candidate plugin; module='afsocket', context='source', name='network' [2021-04-07T11:52:21.155865] Registering candidate plugin; module='afsocket', context='destination', name='network' [2021-04-07T11:52:21.155867] Registering candidate plugin; module='afsocket', context='source', name='systemd-syslog' [2021-04-07T11:52:21.155886] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafprog.so', module='afprog' [2021-04-07T11:52:21.155979] Registering candidate plugin; module='afprog', context='source', name='program' [2021-04-07T11:52:21.155986] Registering candidate plugin; module='afprog', context='destination', name='program' [2021-04-07T11:52:21.156000] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libaffile.so', module='affile' [2021-04-07T11:52:21.156140] Registering candidate plugin; module='affile', context='source', name='file' [2021-04-07T11:52:21.156176] Registering candidate plugin; module='affile', context='source', name='pipe' [2021-04-07T11:52:21.156181] Registering candidate plugin; module='affile', context='source', name='wildcard_file' [2021-04-07T11:52:21.156184] Registering candidate plugin; module='affile', context='source', name='stdin' [2021-04-07T11:52:21.156187] Registering candidate plugin; module='affile', context='destination', name='file' [2021-04-07T11:52:21.156189] Registering candidate plugin; module='affile', context='destination', name='pipe' [2021-04-07T11:52:21.156209] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libadd-contextual- data.so', module='add-contextual-data' [2021-04-07T11:52:21.156308] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data' [2021-04-07T11:52:21.156434] Finishing include; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.156450] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156674] Finishing include; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156687] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156832] Finishing include; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156841] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156931] Finishing include; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156943] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/default-network- drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157022] Finishing include; filename='/usr/share/syslog-ng/include/scl/default-network- drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157029] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157074] Finishing include; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157078] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157107] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog- ng/include/scl/hdfs/plugin.conf:24:1' [2021-04-07T11:52:21.157109] Finishing include; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157114] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157173] Finishing include; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157179] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157232] Finishing include; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157236] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157262] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog- ng/include/scl/kafka/kafka-java.conf:24:1' [2021-04-07T11:52:21.157264] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157269] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157309] Global value changed; define='kafka- implementation', value='kafka-java' [2021-04-07T11:52:21.157328] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157336] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux- audit.conf', depth='2' [2021-04-07T11:52:21.157375] Finishing include; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux- audit.conf', depth='2' [2021-04-07T11:52:21.157379] Starting to read include file; filename='/usr/share/syslog- ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157493] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.157512] Finishing include; filename='/usr/share/syslog- ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157519] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157559] Finishing include; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157565] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157597] Included file was skipped because of a missing module; module='pacctformat', location='/usr/share/syslog- ng/include/scl/pacct/plugin.conf:24:1' [2021-04-07T11:52:21.157600] Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157605] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157905] Finishing include; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157919] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.157969] Global value changed; define='balabit.credit-card-regexp', value='(:4[0-9]{12}(?:[0- 9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0- 9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})' [2021-04-07T11:52:21.157998] Finishing include; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.158007] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd- source.conf', depth='2' [2021-04-07T11:52:21.158073] Finishing include; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd- source.conf', depth='2' [2021-04-07T11:52:21.158079] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158120] Finishing include; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158131] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161593] Finishing include; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161620] Starting to read include file; filename='/usr/share/syslog- ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161724] Finishing include; filename='/usr/share/syslog- ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161729] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161803] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.161808] Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161815] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161853] Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161860] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161951] Finishing include; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161964] Starting to read include file; filename='/usr/share/syslog- ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162008] Finishing include; filename='/usr/share/syslog- ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162024] Global value changed; define='java- module-dir', value='/usr/lib64/syslog-ng/java-modules' [2021-04-07T11:52:21.162028] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.162157] Module loaded and initialized successfully; module='system-source' [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log device; device='/dev/kmsg', format='linux-kmsg' [2021-04-07T11:52:21.162403] Module loaded and initialized successfully; module='afsocket' [2021-04-07T11:52:21.162936] Module loaded and initialized successfully; module='affile' [2021-04-07T11:52:21.163175] Module loaded and initialized successfully; module='kvformat' [2021-04-07T11:52:21.163192] Finishing include; content='block parser iptables-parser() at /usr/share/syslog- ng/include/scl/iptables/iptables.conf:23', depth='3' [2021-04-07T11:52:21.163568] Module loaded and initialized successfully; module='csvparser' [2021-04-07T11:52:21.164457] Finishing include; content='block parser panos-parser() at /usr/share/syslog- ng/include/scl/paloalto/panos.conf:29', depth='3' [2021-04-07T11:52:21.164880] Module loaded and initialized successfully; module='basicfuncs' [2021-04-07T11:52:21.164936] Finishing include; content='block parser sudo-parser() at /usr/share/syslog- ng/include/scl/sudo/sudo.conf:23', depth='3' [2021-04-07T11:52:21.164995] Finishing include; content='parser generator app-parser', depth='2' [2021-04-07T11:52:21.165016] Finishing include; content='source generator system', depth='1' [2021-04-07T11:52:21.165525] Module loaded and initialized successfully; module='syslogformat' [2021-04-07T11:52:21.165711] Module loaded and initialized successfully; module='linux-kmsg-format' [2021-04-07T11:52:21.165966] Running application hooks; hook='1' [2021-04-07T11:52:21.165971] Running application hooks; hook='6' [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1' [2021-04-07T11:52:21.165989] Running application hooks; hook='2' [2021-04-07T11:52:39.961046] Running application hooks; hook='3' [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1' [2021-04-07T11:52:40.061679] Running application hooks; hook='4' ------------------------------------------------------------------- ---------- On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
can you start syslog-ng in the foreground and look at the startup messages?
e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:
# /usr/sbin/syslog-ng -Fedv
This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.
Cheers, Bazsi
On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> wrote:
No joy. I tried swapping it different ways.
filter -> source -> destination = combined source -> filter -> destination = combined
Here's what my config looks like now, after the second variant:
@version: 3.30
@include "scl.conf"
options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); };
source src { system(); internal(); };
filter samba { program("samba"); }; filter ssh_messages { facility("AUTH") and level("INFO"); }; filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); }; destination messages { file("/var/log/messages"); }; destination sshd_log { file("/var/log/sshd/sshd.log"); }; destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
log { source(src); filter(ssh_messages); destination(sshd_log); flags(final); }; log { source(src); filter(syslog); destination(console); }; log { source(src); filter(syslog); destination(messages); };
Still, sshd messages are appearing in /var/log/messages.
On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > Hello, > > The order in the configuration matters. > log { source(src); destination(console); filter(syslog); }; > The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void > The filter recieves messages only after destination, if you switch filter and destination it should be fine. > > -- > kokan > > ________________________________________ > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Dan Egli <dan@newideatest.site> > Sent: 07 April 2021 07:17 > To: syslog-ng@lists.balabit.hu > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. > > > I'm having a bit of a problem and hope someone here can help. I'm trying > to separate individual items into specific logs, i.e. ssh events in > sshd.log, samba messages in samba.log, etc... > > I managed to come up with filters that pull out the events I started > with, and they are going into the correct log files. But they are ALSO > going into /var/log/messages even though I specifically have a filter on > that one that says not to include samba or sshd events. I'll copy my > config file here. Hopefully someone can tell me what I did wrong. > > Thanks! > > --------------------------------------------- > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); destination(smb_logs); filter(samba); flags(final); ); > log { source(src); destination(sshd_log); filter(ssh_messages); > flags(final); }; > log { source(src); destination(console); filter(syslog); }; > log { source(src); destination(messages); filter(syslog); }; > > ___________________________________________________________ ___________________ > Member info:
> Documentation:
> FAQ:
> > ___________________________________________________________ ___________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq > ___________________________________________________________ ___________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
_______________________________________________________________ _______________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
___________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
_____________________________________________________________________ _________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Those are the only ones I'm seeing in either log. Let me test it a bit, see if startup/shutdown messages occur too. Not only that, I am seeing samba messages in the sshd log, and I should not. When I do lsof, it seems the samba daemon is writing it's own logs, so it's not surprising that there's no errors in that log. But why am I seeing samba messages in sshd.log, and why am I seeing samba and sshd in /var/log/messages. And if what you say about the security/auth is correct, then something else is screwy here because I ONLY have auth/info listed. NOT authpriv. Frankly, i'd say that it sounds like I need to just change to program("sshd") but I'm not sure if that will fix anything. I'll do that, just to see. In the mean time, I have two files that are live copies of files in my web site. https://www.newideatest.site/syslog-ng-debug is exactly that. it's the constant running output from syslog-ng -Fdav https://www.newideatest.site/system_log is a symlink to the actual /var/log/messages. Since this is not a truly "live" server yet, just something holding my email while I setup some tests this isn't really a security risk. Take a look at these to see what's going on. On 4/7/2021 12:48 PM, SZALAY Attila wrote:
Hi Dan,
The next important question is that do you see all sshd log messages in /var/log/messages or just some of them. I see two kind of sshd related log message:
[2021-04-07T12:29:43.875056] Incoming log entry; line='<38>Apr 7 12:29:43 sshd[30745]: Accepted keyboard-interactive/pam for dan from XXXX port 40747 ssh2' [2021-04-07T12:29:43.878136] Incoming log entry; line='<86>Apr 7 12:29:43 sshd[30745]: pam_unix(sshd:session): session opened for user dan(uid=1001) by (uid=0)'
As the two has different values in <>, at least one of them is differ from auth/info.
By the way <38> is security(4)/info and <86> is security(10)/info. So both are security/auth message in some way but still different facilities (4 and 6) which is called as auth(4) and authpriv(10) within syslog-ng.
On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:
Okay. I captured a couple of minutes worth of syslog-ng running. It's too big to post (1.5MB) so I put it up on my web server. You can see it at: https://www.newideatest.site/syslog-out On 4/7/2021 12:07 PM, SZIGETVÁRI János wrote: Hello Dan,
I believe that Bazsi (Balázs) wasn't really looking for the startup messages about the config being parsed, but instead about the debug/trace output of the log processing pipeline. There he would be able to check which filters were run against a certain message (its actual content too), and what result those filters returned. I think that's what he's primarily after.
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari <http://linkedin.com/in/janosszigetvari> Web: janos.szigetvari.com <https://janos.szigetvari.com>
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Dan Egli <dan@newideatest.site> ezt írta (időpont: 2021. ápr. 7., Sze, 20:02):
Syslog-ng is NOT complaining about my config at all. I've included the output from the -Fedv below. Other than what I would call "routine" errors in the scl section, no complaints.
--------------------------------- [2021-04-07T11:52:21.151347] Processing @include statement; filename='scl.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151420] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.151596] Module loaded and initialized successfully; module='appmodel' [2021-04-07T11:52:21.151612] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include' [2021-04-07T11:52:21.151782] Adding include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151787] Adding include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.151790] Adding include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.151792] Adding include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.151794] Adding include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.151797] Adding include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.151799] Adding include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.151802] Adding include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.151804] Adding include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.151807] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.151809] Adding include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.151811] Adding include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.151814] Adding include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.151816] Adding include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.151819] Adding include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.151821] Adding include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.151824] Adding include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.151826] Adding include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.151906] Adding include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.151912] Adding include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.151915] Adding include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.151917] Adding include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.151920] Adding include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.151922] Adding include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.151925] Adding include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.151933] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.151993] Reading path for candidate modules; path='/usr/lib64/syslog-ng' [2021-04-07T11:52:21.152064] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml' [2021-04-07T11:52:21.152174] Registering candidate plugin; module='xml', context='parser', name='xml' [2021-04-07T11:52:21.152200] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', module='tags-parser' [2021-04-07T11:52:21.152263] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser' [2021-04-07T11:52:21.152277] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', module='system-source' [2021-04-07T11:52:21.152336] Registering candidate plugin; module='system-source', context='source', name='system' [2021-04-07T11:52:21.152349] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', module='syslogformat' [2021-04-07T11:52:21.152414] Registering candidate plugin; module='syslogformat', context='format', name='syslog' [2021-04-07T11:52:21.152417] Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser' [2021-04-07T11:52:21.152428] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libstardate.so', module='stardate' [2021-04-07T11:52:21.152619] Registering candidate plugin; module='stardate', context='template-func', name='stardate' [2021-04-07T11:52:21.152661] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', module='secure-logging' [2021-04-07T11:52:21.152746] Registering candidate plugin; module='secure-logging', context='template-func', name='slog' [2021-04-07T11:52:21.152760] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', module='pseudofile' [2021-04-07T11:52:21.152832] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile' [2021-04-07T11:52:21.152904] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', module='map-value-pairs' [2021-04-07T11:52:21.152989] Registering candidate plugin; module='map-value-pairs', context='parser', name='map_value_pairs' [2021-04-07T11:52:21.153005] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='liblinux-kmsg-format.so', module='linux-kmsg-format' [2021-04-07T11:52:21.153170] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg' [2021-04-07T11:52:21.153191] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', module='kvformat' [2021-04-07T11:52:21.153261] Registering candidate plugin; module='kvformat', context='parser', name='kv-parser' [2021-04-07T11:52:21.153265] Registering candidate plugin; module='kvformat', context='parser', name='linux-audit-parser' [2021-04-07T11:52:21.153268] Registering candidate plugin; module='kvformat', context='template-func', name='format-welf' [2021-04-07T11:52:21.153279] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', module='hook-commands' [2021-04-07T11:52:21.153339] Registering candidate plugin; module='hook-commands', context='inner-dest', name='hook-commands' [2021-04-07T11:52:21.153343] Registering candidate plugin; module='hook-commands', context='inner-src', name='hook-commands' [2021-04-07T11:52:21.153355] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', module='graphite' [2021-04-07T11:52:21.153408] Registering candidate plugin; module='graphite', context='template-func', name='graphite_output' [2021-04-07T11:52:21.153418] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', module='tfgetent' [2021-04-07T11:52:21.153468] Registering candidate plugin; module='tfgetent', context='template-func', name='getent' [2021-04-07T11:52:21.153479] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libexamples.so', module='examples' [2021-04-07T11:52:21.153646] Registering candidate plugin; module='examples', context='source', name='example_msg_generator' [2021-04-07T11:52:21.153654] Registering candidate plugin; module='examples', context='source', name='example_random_generator' [2021-04-07T11:52:21.153660] Registering candidate plugin; module='examples', context='source', name='example_diskq_source' [2021-04-07T11:52:21.153670] Registering candidate plugin; module='examples', context='inner-dest', name='http_test_slots' [2021-04-07T11:52:21.153677] Registering candidate plugin; module='examples', context='destination', name='example_destination' [2021-04-07T11:52:21.153722] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', module='disk-buffer' [2021-04-07T11:52:21.153825] Registering candidate plugin; module='disk-buffer', context='inner-dest', name='disk_buffer' [2021-04-07T11:52:21.153846] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', module='dbparser' [2021-04-07T11:52:21.154065] Registering candidate plugin; module='dbparser', context='parser', name='db-parser' [2021-04-07T11:52:21.154076] Registering candidate plugin; module='dbparser', context='parser', name='grouping-by' [2021-04-07T11:52:21.154100] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', module='timestamp' [2021-04-07T11:52:21.154260] Registering candidate plugin; module='timestamp', context='parser', name='date-parser' [2021-04-07T11:52:21.154267] Registering candidate plugin; module='timestamp', context='rewrite', name='fix-time-zone' [2021-04-07T11:52:21.154270] Registering candidate plugin; module='timestamp', context='rewrite', name='set-time-zone' [2021-04-07T11:52:21.154279] Registering candidate plugin; module='timestamp', context='rewrite', name='guess-time-zone' [2021-04-07T11:52:21.154296] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', module='csvparser' [2021-04-07T11:52:21.154366] Registering candidate plugin; module='csvparser', context='parser', name='csv-parser' [2021-04-07T11:52:21.154381] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', module='cryptofuncs' [2021-04-07T11:52:21.154452] Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid' [2021-04-07T11:52:21.154459] Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash' [2021-04-07T11:52:21.154657] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1' [2021-04-07T11:52:21.154662] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256' [2021-04-07T11:52:21.154665] Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512' [2021-04-07T11:52:21.154667] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4' [2021-04-07T11:52:21.154673] Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5' [2021-04-07T11:52:21.154689] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', module='confgen' [2021-04-07T11:52:21.154788] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef' [2021-04-07T11:52:21.154912] Registering candidate plugin; module='cef', context='template-func', name='format-cef-extension' [2021-04-07T11:52:21.154935] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', module='basicfuncs' [2021-04-07T11:52:21.155134] Registering candidate plugin; module='basicfuncs', context='template-func', name='grep' [2021-04-07T11:52:21.155142] Registering candidate plugin; module='basicfuncs', context='template-func', name='if' [2021-04-07T11:52:21.155145] Registering candidate plugin; module='basicfuncs', context='template-func', name='or' [2021-04-07T11:52:21.155148] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-lookup' [2021-04-07T11:52:21.155150] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length' [2021-04-07T11:52:21.155156] Registering candidate plugin; module='basicfuncs', context='template-func', name='context-values' [2021-04-07T11:52:21.155158] Registering candidate plugin; module='basicfuncs', context='template-func', name='echo' [2021-04-07T11:52:21.155165] Registering candidate plugin; module='basicfuncs', context='template-func', name='length' [2021-04-07T11:52:21.155171] Registering candidate plugin; module='basicfuncs', context='template-func', name='substr' [2021-04-07T11:52:21.155173] Registering candidate plugin; module='basicfuncs', context='template-func', name='strip' [2021-04-07T11:52:21.155176] Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize' [2021-04-07T11:52:21.155178] Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase' [2021-04-07T11:52:21.155180] Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase' [2021-04-07T11:52:21.155183] Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter' [2021-04-07T11:52:21.155185] Registering candidate plugin; module='basicfuncs', context='template-func', name='padding' [2021-04-07T11:52:21.155201] Registering candidate plugin; module='basicfuncs', context='template-func', name='binary' [2021-04-07T11:52:21.155204] Registering candidate plugin; module='basicfuncs', context='template-func', name='implode' [2021-04-07T11:52:21.155207] Registering candidate plugin; module='basicfuncs', context='template-func', name='explode' [2021-04-07T11:52:21.155209] Registering candidate plugin; module='basicfuncs', context='template-func', name='dirname' [2021-04-07T11:52:21.155214] Registering candidate plugin; module='basicfuncs', context='template-func', name='basename' [2021-04-07T11:52:21.155217] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-concat' [2021-04-07T11:52:21.155219] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-head' [2021-04-07T11:52:21.155222] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-nth' [2021-04-07T11:52:21.155224] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-tail' [2021-04-07T11:52:21.155227] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-slice' [2021-04-07T11:52:21.155230] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-count' [2021-04-07T11:52:21.155232] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-append' [2021-04-07T11:52:21.155234] Registering candidate plugin; module='basicfuncs', context='template-func', name='list-search' [2021-04-07T11:52:21.155237] Registering candidate plugin; module='basicfuncs', context='template-func', name='+' [2021-04-07T11:52:21.155239] Registering candidate plugin; module='basicfuncs', context='template-func', name='-' [2021-04-07T11:52:21.155241] Registering candidate plugin; module='basicfuncs', context='template-func', name='*' [2021-04-07T11:52:21.155243] Registering candidate plugin; module='basicfuncs', context='template-func', name='/' [2021-04-07T11:52:21.155245] Registering candidate plugin; module='basicfuncs', context='template-func', name='%' [2021-04-07T11:52:21.155248] Registering candidate plugin; module='basicfuncs', context='template-func', name='sum' [2021-04-07T11:52:21.155255] Registering candidate plugin; module='basicfuncs', context='template-func', name='min' [2021-04-07T11:52:21.155257] Registering candidate plugin; module='basicfuncs', context='template-func', name='max' [2021-04-07T11:52:21.155259] Registering candidate plugin; module='basicfuncs', context='template-func', name='average' [2021-04-07T11:52:21.155261] Registering candidate plugin; module='basicfuncs', context='template-func', name='round' [2021-04-07T11:52:21.155267] Registering candidate plugin; module='basicfuncs', context='template-func', name='ceil' [2021-04-07T11:52:21.155272] Registering candidate plugin; module='basicfuncs', context='template-func', name='floor' [2021-04-07T11:52:21.155275] Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int' [2021-04-07T11:52:21.155277] Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line' [2021-04-07T11:52:21.155279] Registering candidate plugin; module='basicfuncs', context='template-func', name='dns-resolve-ip' [2021-04-07T11:52:21.155281] Registering candidate plugin; module='basicfuncs', context='template-func', name='env' [2021-04-07T11:52:21.155284] Registering candidate plugin; module='basicfuncs', context='template-func', name='template' [2021-04-07T11:52:21.155286] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-encode' [2021-04-07T11:52:21.155288] Registering candidate plugin; module='basicfuncs', context='template-func', name='url-decode' [2021-04-07T11:52:21.155291] Registering candidate plugin; module='basicfuncs', context='template-func', name='base64-encode' [2021-04-07T11:52:21.155294] Registering candidate plugin; module='basicfuncs', context='template-func', name='iterate' [2021-04-07T11:52:21.155297] Registering candidate plugin; module='basicfuncs', context='template-func', name='map' [2021-04-07T11:52:21.155300] Registering candidate plugin; module='basicfuncs', context='template-func', name='filter' [2021-04-07T11:52:21.155330] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libazure-auth-header.so', module='azure-auth-header' [2021-04-07T11:52:21.155422] Registering candidate plugin; module='azure-auth-header', context='inner-dest', name='azure-auth-header' [2021-04-07T11:52:21.155440] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', module='appmodel' [2021-04-07T11:52:21.155445] Registering candidate plugin; module='appmodel', context='root', name='application' [2021-04-07T11:52:21.155448] Registering candidate plugin; module='appmodel', context='parser', name='app-parser' [2021-04-07T11:52:21.155450] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafuser.so', module='afuser' [2021-04-07T11:52:21.155549] Registering candidate plugin; module='afuser', context='destination', name='usertty' [2021-04-07T11:52:21.155565] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', module='afstomp' [2021-04-07T11:52:21.155641] Registering candidate plugin; module='afstomp', context='destination', name='stomp' [2021-04-07T11:52:21.155653] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', module='afsocket' [2021-04-07T11:52:21.155816] Registering candidate plugin; module='afsocket', context='source', name='unix-stream' [2021-04-07T11:52:21.155821] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream' [2021-04-07T11:52:21.155824] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram' [2021-04-07T11:52:21.155827] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram' [2021-04-07T11:52:21.155829] Registering candidate plugin; module='afsocket', context='source', name='tcp' [2021-04-07T11:52:21.155832] Registering candidate plugin; module='afsocket', context='destination', name='tcp' [2021-04-07T11:52:21.155834] Registering candidate plugin; module='afsocket', context='source', name='tcp6' [2021-04-07T11:52:21.155837] Registering candidate plugin; module='afsocket', context='destination', name='tcp6' [2021-04-07T11:52:21.155839] Registering candidate plugin; module='afsocket', context='source', name='udp' [2021-04-07T11:52:21.155841] Registering candidate plugin; module='afsocket', context='destination', name='udp' [2021-04-07T11:52:21.155844] Registering candidate plugin; module='afsocket', context='source', name='udp6' [2021-04-07T11:52:21.155846] Registering candidate plugin; module='afsocket', context='destination', name='udp6' [2021-04-07T11:52:21.155857] Registering candidate plugin; module='afsocket', context='source', name='syslog' [2021-04-07T11:52:21.155860] Registering candidate plugin; module='afsocket', context='destination', name='syslog' [2021-04-07T11:52:21.155863] Registering candidate plugin; module='afsocket', context='source', name='network' [2021-04-07T11:52:21.155865] Registering candidate plugin; module='afsocket', context='destination', name='network' [2021-04-07T11:52:21.155867] Registering candidate plugin; module='afsocket', context='source', name='systemd-syslog' [2021-04-07T11:52:21.155886] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libafprog.so', module='afprog' [2021-04-07T11:52:21.155979] Registering candidate plugin; module='afprog', context='source', name='program' [2021-04-07T11:52:21.155986] Registering candidate plugin; module='afprog', context='destination', name='program' [2021-04-07T11:52:21.156000] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libaffile.so', module='affile' [2021-04-07T11:52:21.156140] Registering candidate plugin; module='affile', context='source', name='file' [2021-04-07T11:52:21.156176] Registering candidate plugin; module='affile', context='source', name='pipe' [2021-04-07T11:52:21.156181] Registering candidate plugin; module='affile', context='source', name='wildcard_file' [2021-04-07T11:52:21.156184] Registering candidate plugin; module='affile', context='source', name='stdin' [2021-04-07T11:52:21.156187] Registering candidate plugin; module='affile', context='destination', name='file' [2021-04-07T11:52:21.156189] Registering candidate plugin; module='affile', context='destination', name='pipe' [2021-04-07T11:52:21.156209] Reading shared object for a candidate module; path='/usr/lib64/syslog-ng', fname='libadd-contextual-data.so', module='add-contextual-data' [2021-04-07T11:52:21.156308] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data' [2021-04-07T11:52:21.156434] Finishing include; filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', depth='2' [2021-04-07T11:52:21.156450] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156674] Finishing include; filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', depth='2' [2021-04-07T11:52:21.156687] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156832] Finishing include; filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', depth='2' [2021-04-07T11:52:21.156841] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156931] Finishing include; filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', depth='2' [2021-04-07T11:52:21.156943] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157022] Finishing include; filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', depth='2' [2021-04-07T11:52:21.157029] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157074] Finishing include; filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', depth='2' [2021-04-07T11:52:21.157078] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157107] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1' [2021-04-07T11:52:21.157109] Finishing include; filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2' [2021-04-07T11:52:21.157114] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157173] Finishing include; filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', depth='2' [2021-04-07T11:52:21.157179] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157232] Finishing include; filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', depth='2' [2021-04-07T11:52:21.157236] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157262] Included file was skipped because of a missing module; module='mod-java', location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1' [2021-04-07T11:52:21.157264] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', depth='2' [2021-04-07T11:52:21.157269] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157309] Global value changed; define='kafka-implementation', value='kafka-java' [2021-04-07T11:52:21.157328] Finishing include; filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2' [2021-04-07T11:52:21.157336] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157375] Finishing include; filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', depth='2' [2021-04-07T11:52:21.157379] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157493] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.157512] Finishing include; filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', depth='2' [2021-04-07T11:52:21.157519] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157559] Finishing include; filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2' [2021-04-07T11:52:21.157565] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157597] Included file was skipped because of a missing module; module='pacctformat', location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1' [2021-04-07T11:52:21.157600] Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' [2021-04-07T11:52:21.157605] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157905] Finishing include; filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', depth='2' [2021-04-07T11:52:21.157919] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.157969] Global value changed; define='balabit.credit-card-regexp', value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})' [2021-04-07T11:52:21.157998] Finishing include; filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', depth='2' [2021-04-07T11:52:21.158007] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158073] Finishing include; filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', depth='2' [2021-04-07T11:52:21.158079] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158120] Finishing include; filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', depth='2' [2021-04-07T11:52:21.158131] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161593] Finishing include; filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2' [2021-04-07T11:52:21.161620] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161724] Finishing include; filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', depth='2' [2021-04-07T11:52:21.161729] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161803] Module loaded and initialized successfully; module='confgen' [2021-04-07T11:52:21.161808] Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2021-04-07T11:52:21.161815] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161853] Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' [2021-04-07T11:52:21.161860] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161951] Finishing include; filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', depth='2' [2021-04-07T11:52:21.161964] Starting to read include file; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162008] Finishing include; filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', depth='2' [2021-04-07T11:52:21.162024] Global value changed; define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules' [2021-04-07T11:52:21.162028] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' [2021-04-07T11:52:21.162157] Module loaded and initialized successfully; module='system-source' [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log device; device='/dev/kmsg', format='linux-kmsg' [2021-04-07T11:52:21.162403] Module loaded and initialized successfully; module='afsocket' [2021-04-07T11:52:21.162936] Module loaded and initialized successfully; module='affile' [2021-04-07T11:52:21.163175] Module loaded and initialized successfully; module='kvformat' [2021-04-07T11:52:21.163192] Finishing include; content='block parser iptables-parser() at /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3' [2021-04-07T11:52:21.163568] Module loaded and initialized successfully; module='csvparser' [2021-04-07T11:52:21.164457] Finishing include; content='block parser panos-parser() at /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3' [2021-04-07T11:52:21.164880] Module loaded and initialized successfully; module='basicfuncs' [2021-04-07T11:52:21.164936] Finishing include; content='block parser sudo-parser() at /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3' [2021-04-07T11:52:21.164995] Finishing include; content='parser generator app-parser', depth='2' [2021-04-07T11:52:21.165016] Finishing include; content='source generator system', depth='1' [2021-04-07T11:52:21.165525] Module loaded and initialized successfully; module='syslogformat' [2021-04-07T11:52:21.165711] Module loaded and initialized successfully; module='linux-kmsg-format' [2021-04-07T11:52:21.165966] Running application hooks; hook='1' [2021-04-07T11:52:21.165971] Running application hooks; hook='6' [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1' [2021-04-07T11:52:21.165989] Running application hooks; hook='2' [2021-04-07T11:52:39.961046] Running application hooks; hook='3' [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1' [2021-04-07T11:52:40.061679] Running application hooks; hook='4' -----------------------------------------------------------------------------
On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
can you start syslog-ng in the foreground and look at the startup messages?
e.g. stop the background process (via systemd or your init system), and run syslog-ng from a root prompt:
# /usr/sbin/syslog-ng -Fedv
This should start syslog-ng in the foreground (-F), direct internal messages to stderr (-e), and enable debug/verbose messages. Then look at the messages to see if syslog-ng is complaining about your configuration or not.
Cheers, Bazsi
On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> wrote:
Don't know how that slipped in there. And syslog-ng never mentioned it. It's fixed now, and the behavior is unchanged. sshd messages still appear in /var/log/messages.
On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
On Wed, Apr 7, 2021, 08:06 Dan Egli <dan@newideatest.site> <mailto:dan@newideatest.site> wrote:
> No joy. I tried swapping it different ways. > > filter -> source -> destination = combined > source -> filter -> destination = combined > > Here's what my config looks like now, after the second variant: > > @version: 3.30 > > @include "scl.conf" > > options { > threaded(yes); > chain_hostnames(no); > stats_freq(43200); > mark_freq(3600); > }; > > source src { system(); internal(); }; > > filter samba { program("samba"); }; > filter ssh_messages { facility("AUTH") and level("INFO"); }; > filter syslog { not filter("ssh_messages") and not > filter("samba"); }; > > destination console { file("/dev/tty12"); }; > destination messages { file("/var/log/messages"); }; > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > destination smb_logs { file("/var/log/samba/samba.log"); }; > > log { source(src); filter(samba); destination(smb_logs); > flags(final); ); >
You are using a closing paren instead of a brace. This config has a syntax error. Possibly syslog-ng falled back to the original config, once it reported a syntax error.
> log { source(src); filter(ssh_messages); destination(sshd_log); > flags(final); }; > log { source(src); filter(syslog); destination(console); }; > log { source(src); filter(syslog); destination(messages); }; > > > Still, sshd messages are appearing in /var/log/messages. > > On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote: > > Hello, > > > > The order in the configuration matters. > > log { source(src); destination(console); filter(syslog); }; > > The message flow is the following in your example source(src) > -> destination(console) -> filter(syslog) -> void > > The filter recieves messages only after destination, if you > switch filter and destination it should be fine. > > > > -- > > kokan > > > > ________________________________________ > > From: syslog-ng <syslog-ng-bounces@lists.balabit.hu > <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan > Egli <dan@newideatest.site> <mailto:dan@newideatest.site> > > Sent: 07 April 2021 07:17 > > To: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > > Subject: [syslog-ng] Syslog-ng not honoring negative flag > > > > CAUTION: This email originated from outside of the > organization. Do not follow guidance, click links, or open > attachments unless you recognize the sender and know the content > is safe. > > > > > > I'm having a bit of a problem and hope someone here can help. > I'm trying > > to separate individual items into specific logs, i.e. ssh > events in > > sshd.log, samba messages in samba.log, etc... > > > > I managed to come up with filters that pull out the events I > started > > with, and they are going into the correct log files. But they > are ALSO > > going into /var/log/messages even though I specifically have a > filter on > > that one that says not to include samba or sshd events. I'll > copy my > > config file here. Hopefully someone can tell me what I did wrong. > > > > Thanks! > > > > --------------------------------------------- > > @version: 3.30 > > > > @include "scl.conf" > > > > options { > > threaded(yes); > > chain_hostnames(no); > > stats_freq(43200); > > mark_freq(3600); > > }; > > > > source src { system(); internal(); }; > > > > filter samba { program("samba"); }; > > filter ssh_messages { facility("AUTH") and level("INFO"); }; > > filter syslog { not filter("ssh_messages") and not > filter("samba"); }; > > > > destination console { file("/dev/tty12"); }; > > destination messages { file("/var/log/messages"); }; > > destination sshd_log { file("/var/log/sshd/sshd.log"); }; > > destination smb_logs { file("/var/log/samba/samba.log"); }; > > > > log { source(src); destination(smb_logs); filter(samba); > flags(final); ); > > log { source(src); destination(sshd_log); filter(ssh_messages); > > flags(final); }; > > log { source(src); destination(console); filter(syslog); }; > > log { source(src); destination(messages); filter(syslog); }; > > > > > ______________________________________________________________________________ > > Member info: > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0> > > Documentation: > https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 > <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0> > > FAQ: > https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 > <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0> > > > > > ______________________________________________________________________________ > > Member info: > https://lists.balabit.hu/mailman/listinfo/syslog-ng > <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > <http://www.balabit.com/support/documentation/?product=syslog-ng> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > <http://www.balabit.com/wiki/syslog-ng-faq> > > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > <http://www.balabit.com/wiki/syslog-ng-faq> > >
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I'm still hoping someone on this list can help me out. My syslog-ng configuration seems to be mixing things up. I am TRYING to separate things, so that anything from sshd goes to /var/log/sshd/sshd.log, anything from samba goes to /var/log/samba/log.samba, and anything ELSE hitting the syslog is going to /var/log/messages. My problem is, the sshd log seems to be picking up samba messsages, and the main log (/var/log/messages) is picking up them BOTH. But I have filters in my config to say this one, not that one. If anyone is willing to help me out, the following files are live on my web server: https://www.newideatest.site/syslog-conf The current syslog-ng.conf https://www.newideatest.site/system_log Current /var/log/messages https://www.newideatest.site/syslog-ng-debug The debug output from the current instance of syslog-ng -Fdav These files are direct links to the actual files, so whatever you see there is exactly what is there at the moment you check. Please help?
On Thu, Apr 08, 2021 at 06:04:13PM -0600, Dan Egli wrote:
I'm still hoping someone on this list can help me out. My syslog-ng configuration seems to be mixing things up. I am TRYING to separate things, so that anything from sshd goes to /var/log/sshd/sshd.log, anything from samba goes to /var/log/samba/log.samba, and anything ELSE hitting the syslog is going to /var/log/messages. My problem is, the sshd log seems to be picking up samba messsages, and the main log (/var/log/messages) is picking up them BOTH. But I have filters in my config to say this one, not that one.
If anyone is willing to help me out, the following files are live on my web server: https://www.newideatest.site/syslog-conf The current
There is a typo in your config : program("ssdhd")
participants (6)
-
Balazs Scheidler
-
Dan Egli
-
Fabien Wernli
-
Peter Kokai (pkokai)
-
SZALAY Attila
-
SZIGETVÁRI János