Hello to All I want to messages from smbd and nmbd to redirect to another logfile I have: source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; destination d_smbd { file("/var/log/smbd"); }; filter f_smbd { program(smbd.*) or match(smbd); }; filter f_nmbd { program(nmbd.*) or match(nmbd); }; log { source(src); filter(f_smbd); destination(d_smbd); }; log { source(src); filter(f_nmbd); destination(d_smbd); }; log { source(src); destination(messages); }; but messages like: Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0] lib/util_sock.c:get_peer_addr(1000) Feb 18 15:02:57 gate smbd[1089]: getpeername failed. Error was Transport endpoint is not connected or Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0] nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693) Feb 18 15:04:14 gate nmbd[15845]: process_get_backup_list_request: domain list requested for workgroup MASSNET and I am not a local master browser. still going to /var/log/messages... what´s wrong? -- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78
Denis, I'm no expert at this yet, but I think the problem is that the regular syslog rule matches and it's writing the result to more than one place. This is entirely possible. As an example, here's what I did to stop that in my rule that logs iptables hits to a different file on linux: destination d_iptables { file("/var/log/iptables"); }; destination d_mesg { file("/var/log/messages"); }; filter f_iptables { match("Inbound"); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron) and not match("Inbound"); }; log { source(s_sys); filter(f_iptables); destination(d_iptables); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; Note the not match that excludes the Inbound events from going to syslog. There may be a better way to do this, but it works for me so far. -Mike Denis Kot wrote:
Hello to All
I want to messages from smbd and nmbd to redirect to another logfile I have:
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); }; destination d_smbd { file("/var/log/smbd"); };
filter f_smbd { program(smbd.*) or match(smbd); }; filter f_nmbd { program(nmbd.*) or match(nmbd); };
log { source(src); filter(f_smbd); destination(d_smbd); }; log { source(src); filter(f_nmbd); destination(d_smbd); }; log { source(src); destination(messages); };
but messages like: Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0] lib/util_sock.c:get_peer_addr(1000) Feb 18 15:02:57 gate smbd[1089]: getpeername failed. Error was Transport endpoint is not connected or Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0] nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693) Feb 18 15:04:14 gate nmbd[15845]: process_get_backup_list_request: domain list requested for workgroup MASSNET and I am not a local master browser.
still going to /var/log/messages... what´s wrong?
so I must create a filter something like filter f_filer { not filter(f_smbd); }; and this filter put to log? On Fri, 18 Feb 2005 11:11:49 -0500, Mike Pepe <lamune@doki-doki.net> wrote:
Denis,
I'm no expert at this yet, but I think the problem is that the regular syslog rule matches and it's writing the result to more than one place. This is entirely possible.
As an example, here's what I did to stop that in my rule that logs iptables hits to a different file on linux:
destination d_iptables { file("/var/log/iptables"); }; destination d_mesg { file("/var/log/messages"); };
filter f_iptables { match("Inbound"); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron) and not match("Inbound"); };
log { source(s_sys); filter(f_iptables); destination(d_iptables); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); };
Note the not match that excludes the Inbound events from going to syslog.
There may be a better way to do this, but it works for me so far.
-Mike
Denis Kot wrote:
Hello to All
I want to messages from smbd and nmbd to redirect to another logfile I have:
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); }; destination d_smbd { file("/var/log/smbd"); };
filter f_smbd { program(smbd.*) or match(smbd); }; filter f_nmbd { program(nmbd.*) or match(nmbd); };
log { source(src); filter(f_smbd); destination(d_smbd); }; log { source(src); filter(f_nmbd); destination(d_smbd); }; log { source(src); destination(messages); };
but messages like: Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0] lib/util_sock.c:get_peer_addr(1000) Feb 18 15:02:57 gate smbd[1089]: getpeername failed. Error was Transport endpoint is not connected or Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0] nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693) Feb 18 15:04:14 gate nmbd[15845]: process_get_backup_list_request: domain list requested for workgroup MASSNET and I am not a local master browser.
still going to /var/log/messages... what´s wrong?
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78
Yes, that's the right idea. For example, I have something like... destination samba_log_smbd { file("/var/log/samba/smbd.log"); }; destination samba_log_nmbd { file("/var/log/samba/nmbd.log"); }; destination messages { file("/var/log/messages/messages"); }; filter f_samba_smbd { program("smbd.*"); }; filter f_samba_nmbd { program("nmbd.*"); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news) and not filter(f_iptableslog, f_samba_smbd, samba_log_nmbd); }; On Fri, Feb 18, 2005 at 11:05:59PM +0200, Denis Kot wrote:
so I must create a filter something like filter f_filer { not filter(f_smbd); }; and this filter put to log?
On Fri, 18 Feb 2005 11:11:49 -0500, Mike Pepe <lamune@doki-doki.net> wrote:
Denis,
I'm no expert at this yet, but I think the problem is that the regular syslog rule matches and it's writing the result to more than one place. This is entirely possible.
As an example, here's what I did to stop that in my rule that logs iptables hits to a different file on linux:
destination d_iptables { file("/var/log/iptables"); }; destination d_mesg { file("/var/log/messages"); };
filter f_iptables { match("Inbound"); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron) and not match("Inbound"); };
log { source(s_sys); filter(f_iptables); destination(d_iptables); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); };
Note the not match that excludes the Inbound events from going to syslog.
There may be a better way to do this, but it works for me so far.
-Mike
Denis Kot wrote:
Hello to All
I want to messages from smbd and nmbd to redirect to another logfile I have:
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); }; destination d_smbd { file("/var/log/smbd"); };
filter f_smbd { program(smbd.*) or match(smbd); }; filter f_nmbd { program(nmbd.*) or match(nmbd); };
log { source(src); filter(f_smbd); destination(d_smbd); }; log { source(src); filter(f_nmbd); destination(d_smbd); }; log { source(src); destination(messages); };
but messages like: Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0] lib/util_sock.c:get_peer_addr(1000) Feb 18 15:02:57 gate smbd[1089]: getpeername failed. Error was Transport endpoint is not connected or Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0] nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693) Feb 18 15:04:14 gate nmbd[15845]: process_get_backup_list_request: domain list requested for workgroup MASSNET and I am not a local master browser.
still going to /var/log/messages... what?s wrong?
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- # Jesse Molina # Mail = jesse@opendreams.net # Page = page-jesse@opendreams.net # Cell = 1.407.970.0280 # Web = http://www.opendreams.net/jesse/
That works nicely, but I think the flags(final) makes life even easier! gets rid of a lot of "and not" stuff. Jesse Molina wrote:
Yes, that's the right idea.
For example, I have something like...
destination samba_log_smbd { file("/var/log/samba/smbd.log"); }; destination samba_log_nmbd { file("/var/log/samba/nmbd.log"); }; destination messages { file("/var/log/messages/messages"); };
filter f_samba_smbd { program("smbd.*"); }; filter f_samba_nmbd { program("nmbd.*"); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news) and not filter(f_iptableslog, f_samba_smbd, samba_log_nmbd); };
On Fri, Feb 18, 2005 at 11:05:59PM +0200, Denis Kot wrote:
so I must create a filter something like filter f_filer { not filter(f_smbd); }; and this filter put to log?
It's simpler than all that, just use the final flag: log { source(src); filter(f_smbd); destination(d_smbd); flags(final); }; log { source(src); destination(messages); }; -- Nate "I had to quit my job to have time to read my email." - Curry, Adam [MTV Host and net.legend] his occasional signature quote
participants (4)
-
Denis Kot
-
Jesse Molina
-
Mike Pepe
-
Nate Campi