[syslog-ng] Problems with syslog-ng 1.0.4

[Balazs Scheidler]

Hello,

Sorry for the long delay it took for me to answer your mesage, but I was out
for a couple of weeks.

First of all I would like you to note that syslog-ng version 1.0.x serves
only as a proof of concept, and has several flaws I am trying to solve in
the new 1.1.xx series. But the latter is not ready yet, as syslog-ng is
completely rewritten.

syslog-ng 1.0.x works stable as long as the config file is ok, but the
parser is not the best one (it is from the original nsyslogd package, which
syslog-ng was based on)


> 
> 	Im trying to replace syslog with syslog-ng at my 
> site.  Version 1.0.4, libc5 (rh42).  Everything compiled
> fine, but i am having trouble getting the equivalent to 
> this syslog line below to work:
> 
> *.info;mail.none;authpriv.none                         
> /var/log/messages
> 
> 	Here is what i tried:
> 
> source local { udp 0.0.0.0,514; unix-stream /dev/log; };
> destination d_messages { file /var/log/messages; };
> destination d_authpriv { file /var/log/secure; };
> destination d_mail { file /var/log/maillog; };
> filter f_mail { facility mail; };
> filter f_authpriv { facility authpriv; };
> filter f_mess { priority info; not facility mail; not facility authpriv;
> };
> log { source local; filter f_mail; destination d_mail; };
> log { source local; filter f_mess; destination d_messages; };
> log { source local; filter f_authpriv; destination d_authpriv; };
> 
> 	When i generate messages for mail.notice, it goes to 
> /var/log/messages *and* /var/log/maillog, and when i generate them
> for authpriv.notice, they go to /var/log/messages *and* to 
> /var/log/secure, which is wrong (they are not supposed to go
> to /var/log/messages).
> 
> 	The strange thing is, if i try this filter line:
> filter f_mess { priority info; not facility mail; };
> 	.. and generate messages for mail.notice, it goes
> (correctly) to only /var/log/maillog.
> 	Also, if i try this:
> filter f_mess { priority info; not facility authpriv; };
> 	... and generate messages for authpriv.notice, it goes
> (correctly) to only /var/log/authpriv.
> 
> 	So... if i put both together, it doesn't work, if
> i put each one separately, they do.  Is this correct?  Is
> there any other way i can use that syslog-type line?

this is obviously wrong. the only solution I can tell you is not to use
several conditions in one filter line.

you can use several log statements to merge two streams together.

BTW: I plan  to rework filter statements in 1.1.x to be more powerful.

-- 
Bazsi