I don't want to assume anything about how the program deals with messages, so my question is how do messages that match or do not match a filter cascade down? For instance if I have a filter: filter f_test { program('test'); }; and a destination that specific filter, under what conditions would it NOT make it to said destination? What's going on is I log output from a program, but it's making it's way into /var/log/messages, when it should be going to it's own definition /var/log/services/app/app.log. Does the order of log { } make a difference? filters? destinations? I looked around the faq and the reference manual and didn't find anything explaining the process flow. Thanks in advance! Ian
On 10/3/06, Ian Meyer <ianmmeyer@gmail.com> wrote:
I don't want to assume anything about how the program deals with messages, so my question is how do messages that match or do not match a filter cascade down?
For instance if I have a filter: filter f_test { program('test'); }; and a destination that specific filter, under what conditions would it NOT make it to said destination?
Here's what this noob knows (or thinks he knows): They (the filters) work in the order that they appear. A message continues past a log rule unless it MATCHES a log rule with a stop flag configured in it. If there is a catchall file (like messages) all messages will wind up there even if they matched a previous log rule UNLESS that log rule had a stop flag configured. In my case I want a copy of a message sent to a pipe and its own file, and I only want messages from things I didn't know about or hadn't seen before or aren't being monitored that directly to wind up in the catchall file (netmessages in my case). So, if a PIX send me a message the first log rule it hits sends it to a named pipe, then it hits a second log rule that places it in the firewall file and, because that log rule has the stop flag configured, it ends there.
participants (2)
-
Brian Loe
-
Ian Meyer