can't figure out how to convert syslog.conf entry to syslog-ng
I have the following syslog.conf entry on my linux server: *.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages The syslog2ng script converts it to this: destination d_mesg { file("/var/log/messages"); }; filter f_1 { level(info..emerg); }; filter f_2 { not facility(mail); }; filter f_3 { facility(mail) and level(err..emerg); }; filter f_4 { not facility(authpriv); }; filter f_5 { not facility(auth); }; filter f_6 { facility(auth) and level(warning..emerg); }; filter f_7 { not facility(cron); }; filter f_8 { facility(cron) and level(warning..emerg); }; filter f_9 { not facility(local0); }; log { source(local); filter(f_1); filter(f_2); filter(f_3); filter(f_4); filter(f_5); filter(f_6); filter(f_7); filter(f_8); filter(f_9); destination(d_mesg); }; Problem: this doesn't work; the above syslog-ng.conf entry doesn't send any messages to /var/log/messages. I know syslog-ng is working because other entries in the config file do catch messages as they should. I've narrowed it down to something with the compound filter statements. If I remove f_3, f_6, and f_8, the entry starts working. Works correctly on regular syslog. syslog-ng version 1.6.5. Thanks, P. -- Philip J. Hollenback Telemetry Investments phollenback@telemetry-investments.com
Am Mo, den 27.12.2004 schrieb Philip J. Hollenback um 15:02:
I have the following syslog.conf entry on my linux server:
[...]
filter f_2 { not facility(mail); }; filter f_3 { facility(mail) and level(err..emerg); }; [...] log { source(local); filter(f_1); filter(f_2); filter(f_3); filter(f_4); filter(f_5); filter(f_6); filter(f_7); filter(f_8); filter(f_9); destination(d_mesg); };
The message from source has to match ALL filters (AND'd together) to be logged to destination. That's atleast what I read from chapter 2 (log paths) of the reference manual.
Problem: this doesn't work; the above syslog-ng.conf entry doesn't send any messages to /var/log/messages.
(facility(mail)) AND (not facility(mail))= {} [...]
I've narrowed it down to something with the compound filter statements. If I remove f_3, f_6, and f_8, the entry starts working.
You could perhaps define a log{} statement for each filter rule.
Thanks, P.
HTH Wolfgang -- Wolfgang Braun <wolfgang.braun@gmx.de>, Dipl. Inform. (FH) gpg-key: 1024D/4B32CE55
On Mon, 2004-12-27 at 09:02 -0500, Philip J. Hollenback wrote:
I have the following syslog.conf entry on my linux server:
*.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages
The syslog2ng script converts it to this:
destination d_mesg { file("/var/log/messages"); };
filter f_1 { level(info..emerg); }; filter f_2 { not facility(mail); }; filter f_3 { facility(mail) and level(err..emerg); }; filter f_4 { not facility(authpriv); }; filter f_5 { not facility(auth); }; filter f_6 { facility(auth) and level(warning..emerg); }; filter f_7 { not facility(cron); }; filter f_8 { facility(cron) and level(warning..emerg); }; filter f_9 { not facility(local0); };
log { source(local); filter(f_1); filter(f_2); filter(f_3); filter(f_4); filter(f_5); filter(f_6); filter(f_7); filter(f_8); filter(f_9); destination(d_mesg); };
Problem: this doesn't work; the above syslog-ng.conf entry doesn't send any messages to /var/log/messages. I know syslog-ng is working because other entries in the config file do catch messages as they should.
I've narrowed it down to something with the compound filter statements. If I remove f_3, f_6, and f_8, the entry starts working.
Note that syslog-ng ANDs the filter expressions listed in your log statement. E.g. while syslogd ORs them syslog-ng ANDs them. in f_3 you require facility(mail) while in f_2 you explicitly disallow it via not. Maybe you should construct a single filter expression ORing the conditions in the original syslog.conf entry.
Thanks for the pointers! I was able to code this entry up as follows: filter f_mesg { level(info..emerg) and not facility(authpriv,local0) and not (facility(mail) and level(debug..notice)) and not (facility(auth,cron) and level(debug..notice)); }; and that works great. Thanks, P. On 12/27/04, Balazs Scheidler wrote:
On Mon, 2004-12-27 at 09:02 -0500, Philip J. Hollenback wrote:
I have the following syslog.conf entry on my linux server:
*.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages
The syslog2ng script converts it to this:
destination d_mesg { file("/var/log/messages"); };
filter f_1 { level(info..emerg); }; filter f_2 { not facility(mail); }; filter f_3 { facility(mail) and level(err..emerg); }; filter f_4 { not facility(authpriv); }; filter f_5 { not facility(auth); }; filter f_6 { facility(auth) and level(warning..emerg); }; filter f_7 { not facility(cron); }; filter f_8 { facility(cron) and level(warning..emerg); }; filter f_9 { not facility(local0); };
log { source(local); filter(f_1); filter(f_2); filter(f_3); filter(f_4); filter(f_5); filter(f_6); filter(f_7); filter(f_8); filter(f_9); destination(d_mesg); };
Problem: this doesn't work; the above syslog-ng.conf entry doesn't send any messages to /var/log/messages. I know syslog-ng is working because other entries in the config file do catch messages as they should.
I've narrowed it down to something with the compound filter statements. If I remove f_3, f_6, and f_8, the entry starts working.
Note that syslog-ng ANDs the filter expressions listed in your log statement. E.g. while syslogd ORs them syslog-ng ANDs them.
in f_3 you require facility(mail) while in f_2 you explicitly disallow it via not.
Maybe you should construct a single filter expression ORing the conditions in the original syslog.conf entry.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Philip J. Hollenback Telemetry Investments phollenback@telemetry-investments.com
participants (3)
-
Balazs Scheidler
-
Philip J. Hollenback
-
Wolfgang Braun