Hi there, On Wed, 1 Nov 2006 Nick Baronian wrote:

2. logs written twice (Nick Baronian)

I setup a syslog-ng server to get logs from various boxes and devices. I think I am a little confused about the correct way to set this up. I am seeing a lot of logs getting written twice.

Is there a way I can duplicate the name schema the remote box is using

I don't know exactly what you mean by that, and I do't think I'd know the answer if I did. :)

[snip] filter pump_renewal { not program("pumpd") or not level(info,debug); }; filter imap_debug { not program("imapd") or not level(info,debug); }; filter ipop3_debug { not program("ipop3d") or not level(info,debug); }; filter sshd_debug { not program("sshd") or not level(debug); }; filter f_attack_alert { match("attackalert"); }; filter f_ssh_login_attempt { program("sshd.*") and match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); }; [snip]

If I understand what you're trying to so, I don't think you're approaching this the right way at all. Think of a filter as being like a sieve. You keep what's filtered because you want it, you don't throw it away by 'filter'ing it out. Your filter 'sshd_debug' isn't being referenced at all, so it won't give you any output. If I wanted to see ssh debug messages (assuming that the ssh daemon was logging anything at the DEBUG level) then the filter I would use would be something like filter f_sshd_debug { program("sshd") and level(debug); }; log { source(src); filter(f_sshd_debug); destination(whatever); }; The problem with using 'or' is that not program("sshd") or not level(debug) will give you stuff that ISN'T sshd if it also ISN'T debug. Check out deMorgan's theorem on the Web. If I've got the wrong end of the stick here, a flame to my personal email address is in order but one to the list isn't. :) -- 73, Ged.