[syslog-ng] Problems with syslog-ng 1.0.4
Balazs Scheidler
bazsi@balabit.hu
Tue, 6 Apr 1999 11:33:07 +0200
Hello,
Sorry for the long delay it took for me to answer your mesage, but I was out
for a couple of weeks.
First of all I would like you to note that syslog-ng version 1.0.x serves
only as a proof of concept, and has several flaws I am trying to solve in
the new 1.1.xx series. But the latter is not ready yet, as syslog-ng is
completely rewritten.
syslog-ng 1.0.x works stable as long as the config file is ok, but the
parser is not the best one (it is from the original nsyslogd package, which
syslog-ng was based on)
>
> Im trying to replace syslog with syslog-ng at my
> site. Version 1.0.4, libc5 (rh42). Everything compiled
> fine, but i am having trouble getting the equivalent to
> this syslog line below to work:
>
> *.info;mail.none;authpriv.none
> /var/log/messages
>
> Here is what i tried:
>
> source local { udp 0.0.0.0,514; unix-stream /dev/log; };
> destination d_messages { file /var/log/messages; };
> destination d_authpriv { file /var/log/secure; };
> destination d_mail { file /var/log/maillog; };
> filter f_mail { facility mail; };
> filter f_authpriv { facility authpriv; };
> filter f_mess { priority info; not facility mail; not facility authpriv;
> };
> log { source local; filter f_mail; destination d_mail; };
> log { source local; filter f_mess; destination d_messages; };
> log { source local; filter f_authpriv; destination d_authpriv; };
>
> When i generate messages for mail.notice, it goes to
> /var/log/messages *and* /var/log/maillog, and when i generate them
> for authpriv.notice, they go to /var/log/messages *and* to
> /var/log/secure, which is wrong (they are not supposed to go
> to /var/log/messages).
>
> The strange thing is, if i try this filter line:
> filter f_mess { priority info; not facility mail; };
> .. and generate messages for mail.notice, it goes
> (correctly) to only /var/log/maillog.
> Also, if i try this:
> filter f_mess { priority info; not facility authpriv; };
> ... and generate messages for authpriv.notice, it goes
> (correctly) to only /var/log/authpriv.
>
> So... if i put both together, it doesn't work, if
> i put each one separately, they do. Is this correct? Is
> there any other way i can use that syslog-type line?
this is obviously wrong. the only solution I can tell you is not to use
several conditions in one filter line.
you can use several log statements to merge two streams together.
BTW: I plan to rework filter statements in 1.1.x to be more powerful.
--
Bazsi