You could not reproduce it ? maybe it is specific to my platform then.. PC Debian Woody (up to date), syslog-ng deb package version 1.4.10-1.. Here is more details on my setup and results, and I attach my complete syslog-ng.conf (only the begining of my syslog-ng.conf differs from debian's default config), and a full piece of 'try.log'. ------------------- filter f_tunnel { program("tunnel"); }; filter f_dhcp { program("dhcp"); }; filter f_squid { program("squid"); }; filter f_ssh { facility(local3); }; filter f_separe { program("(tunnel)|(dhcp)|(squid)"); }; filter f_try { filter(f_separe) or filter(f_ssh); }; log { source(src); filter(f_ssh); destination(sshlog); }; log { source(src); filter(f_separe); destination(separelog); }; log { source(src); filter(f_try); destination(trylog); }; ------------------- ----------- ssh.log is ok (full of sshd messages...) ----- separe.log : allright (dhcp, squid and stunnel messages only.) Jan 19 16:13:41 zamok dhcpd-2.2.x: DHCPACK on 138.231.138.32 to 52:54:05:f5:26:39 via eth0Jan 19 16:14:17 zamok stunnel[6495]: Connection closed: 191 bytes sent to SSL, 39 bytes sent to socket Jan 19 16:14:21 zamok stunnel[6500]: tunnel-pop connected from 212.232.35.241:3636 Jan 19 16:14:26 zamok stunnel[6500]: Connection closed: 938 bytes sent to SSL, 69 bytes sent to socket Jan 19 16:14:32 zamok stunnel[6514]: tunnel-pop connected from 138.231.137.11:1663 ----- try.log : how come ? (chosen bits : ) Jan 19 16:13:33 zamok syslog-ng[6453]: syslog-ng version 1.4.10 starting Jan 19 16:13:33 zamok imapd[6455]: connect from kino.crans.org Jan 19 16:13:35 zamok imapd[6458]: Logout user=szakacs host=localhost.crans.org [127.0.0.1] Jan 19 16:13:37 zamok sshd2[386]: connection from "138.231.137.199" Jan 19 16:13:37 zamok sshd[6460]: log: Generating 768 bit RSA key. Jan 19 16:14:17 zamok cucipop[6496]: arlais 127.0.0.1 0, 0 (0), 0 (0) Jan 19 16:14:17 zamok stunnel[6495]: Connection closed: 191 bytes sent to SSL, 39 bytes sent to socket Can you see where the problem comes from ? that would be very helpful for me to be able to use 'or' correctly.. -- Sam
On Fri, Jan 19, 2001 at 04:36:39PM +0100, Samuel Krempp wrote:
You could not reproduce it ? maybe it is specific to my platform then.. PC Debian Woody (up to date), syslog-ng deb package version 1.4.10-1..
Here is more details on my setup and results, and I attach my complete syslog-ng.conf (only the begining of my syslog-ng.conf differs from debian's default config), and a full piece of 'try.log'.
(chosen bits : ) Jan 19 16:13:33 zamok syslog-ng[6453]: syslog-ng version 1.4.10 starting Jan 19 16:13:33 zamok imapd[6455]: connect from kino.crans.org Jan 19 16:13:35 zamok imapd[6458]: Logout user=szakacs host=localhost.crans.org [127.0.0.1] Jan 19 16:13:37 zamok sshd2[386]: connection from "138.231.137.199" Jan 19 16:13:37 zamok sshd[6460]: log: Generating 768 bit RSA key. Jan 19 16:14:17 zamok cucipop[6496]: arlais 127.0.0.1 0, 0 (0), 0 (0) Jan 19 16:14:17 zamok stunnel[6495]: Connection closed: 191 bytes sent to SSL, 39 bytes sent to socket
As I see in your config, everything logging under local3 is sent to trylog. Might that be a problem? I tried the following configuration and messages and everything was logged correctly: ---- syslog-ng.conf ---- source src { internal(); tcp(localport(1999)); }; destination allmsg { file("allmsg"); }; destination trylog { file("trylog"); }; filter f_ssh { facility(local3); }; filter f_separe { program("(tunnel)|(dhcp)|(squid)"); }; filter f_try { filter(f_separe) or filter(f_ssh); }; log { source(src); destination(allmsg); }; log { source(src); filter(f_try); destination(trylog); }; -------- #test1 balabit:~/src/syslog-ng-1.5/src$ echo "<152> This is local3.emerg message" | nc localhost 1999 balabit:~/src/syslog-ng-1.5/src$ cat allmsg Jan 29 10:59:10 localhost/localhost This is local3.emerg message balabit:~/src/syslog-ng-1.5/src$ cat trylog Jan 29 10:59:10 localhost/localhost This is local3.emerg message Thus the message passed the f_try() filter. #test2 A message with tunnel in the program name and with facility != local3: balabit:~/src/syslog-ng-1.5/src$ echo "Jan 19 16:14:32 zamok stunnel[6514]: tunnel-pop connected from" | nc localhost 1999 balabit:~/src/syslog-ng-1.5/src$ cat allmsg Jan 29 10:59:10 localhost/localhost This is local3.emerg message Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from balabit:~/src/syslog-ng-1.5/src$ cat trylog Jan 29 10:59:10 localhost/localhost This is local3.emerg message Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from This passed the filter as well. #test3 Now a message with facility != local3, and not matching program name: balabit:~/src/syslog-ng-1.5/src$ echo "Jan 19 16:14:32 zamok krixkrax[6514]: tunnel-pop connected from" | nc localhost 1999 balabit:~/src/syslog-ng-1.5/src$ cat allmsg Jan 29 10:59:10 localhost/localhost This is local3.emerg message Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from Jan 19 16:14:32 zamok/localhost krixkrax[6514]: tunnel-pop connected from balabit:~/src/syslog-ng-1.5/src$ cat trylog Jan 29 10:59:10 localhost/localhost This is local3.emerg message Jan 19 16:14:32 zamok/localhost stunnel[6514]: tunnel-pop connected from So this one did not go through as it is the correct behaviour. My system is running Debian GNU/Linux potato r2.2. You might strace the programs sending those messages and check which facility they really use. (though if they use local3, the messages should've shown up in ssh.log as well) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (2)
-
Balazs Scheidler
-
Samuel Krempp