OK, I assume that this is something stupid I'm doing - but I've started at the config file for a week, and I'll be darned if I can see it. I've got a fairly vanilla setup, and I'm trying to send dhcpd, snort, etc to separate filters, while at the same time keeping one file with all of the error messages. Like so: # # log sources # source server { file("/proc/kmsg"); unix-stream("/dev/log"); internal(); }; destination dserver_all { file("/var/log/${HOST}.log" owner(root) group(hobbit) perm(0640)); }; destination dserver_cfengine { file("/var/log/cfengine.log"); }; destination dserver_snort { file("/var/log/snort.log"); }; destination dserver_dhcpd { file("/var/log/dhcpd.log"); }; ... filter fserver_snort { program("snort"); }; filter fserver_dhcpd { program("dhcpd"); }; filter fserver_cfengine { program("cfengine"); }; ... log { source(server); destination(dserver_all); }; log { source(server); filter(fserver_snort); destination(dserver_snort); flags(final); }; log { source(server); filter(fserver_cfengine); destination(dserver_cfengine); flags(final); }; log { source(server); filter(fserver_dhcpd); destination(dserver_dhcpd); flags(final); }; The 'log everything' is working fine. Some of the filtered logs are working fine, like the cfengine log: [root@saratoga log]# ls -la /var/log/cfengine.log -rw------- 1 root root 181006 Dec 14 11:15 /var/log/cfengine.log The dhcpd log is empty: [root@saratoga log]# ls -la /var/log/dhcpd.log -rw------- 1 root root 0 Dec 13 02:42 /var/log/dhcpd.log even though there are entries in the combined log that clearly should have hit the dhcpd log: [root@saratoga log]# tail /var/log/saratoga.log Dec 14 11:25:07 saratoga dhcpd: Copyright 2004-2006 Internet Systems Consortium. Dec 14 11:25:07 saratoga dhcpd: All rights reserved. Dec 14 11:25:07 saratoga dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Dec 14 11:25:07 saratoga dhcpd: Wrote 22 leases to leases file. Dec 14 11:25:07 saratoga dhcpd: Listening on LPF/eth3/00:0e:0c:6d:64:cf/192.168.3/24 What in the world am I missing? Thanks much, -- tim -- -- Tim Boyer Denman Tire Corporation
OK, I assume that this is something stupid I'm doing - but I've stared at the config file for a week, and I'll be darned if I can see
it.
I'll answer my own message here, for the record. I was right - it was something stupid.
log { source(server); filter(fserver_dhcpd); destination(dserver_dhcpd); flags(final); };
A few lines before this, I had basically the same thing, except I was filtering the daemon facility, and using 'flags final'. dhcpd gets reported through daemon; it was going to the daemon.log and not ever hitting the dhcpd filter. Guess I should have stared for a week and a half... -- tim -- -- Tim Boyer Denman Tire Corporation
participants (1)
-
Tim Boyer