[syslog-ng] complex filtering

Hamilton, Andrew Mr. HamiltonA@hq.5sigcmd.army.mil
Thu, 6 Apr 2000 07:10:38 +0200 

I've also had problems with the "and not" filtering in syslog-ng.  I ended
up having to do a kind of a DeMorgan method and change the filtering around
a little.  I got it to do what I wanted but not quite the way I expected.

filter f_messages { level(info..warn) and not facility(local2,kern,auth); };

The above didn't work the way I expected it should have.  I ended up doing

filter f_messages { level(info..warn) and facility(mail,news,etc..); };

This seemed to work ok.  I'm not sure if syslog-ng is evaluating the "and
not" construct the way you'd expect.  Of course it may be that I just wasn't
using it correctly as well.

Drew

> -----Original Message-----
> From:	Balazs Scheidler [SMTP:bazsi@balabit.hu]
> Sent:	Wednesday, April 05, 2000 5:08 PM
> To:	syslog-ng@venus.terrasoft.hu
> Subject:	Re: [syslog-ng] complex filtering
> 
> > 
> > Im currently building our loghost syslog-ng conf file and encounter a
> problem. How can I filter message so that only not-alredy-routed line will
> be routed/filtered again ?
> > 
> > For example, I am trying to send ssh line to a dedicated log file, since
> sshd send its message to the deamon facility and that ( generic) daemon
> facility are send to a generic file, a given line appereas in both file
> and that waste my disk space :-).
> > 
> > I am trying to solve that by adding "and not filter(f_ssh)" in my dameon
> filter but it does nothing ( not even syntax error message).
> > 
> > Is there any error ? Is there another way ?
> > 
> > Thanks for any help.
> 
> The filter way should work, if it doesn't, it's a bug. There's a feature
> you
> may use here. You can define default log statements:
> 
> log { source(src); filter(DEFAULT); destination(dst); };
> 
> This is a catchall statement, and should catch all messages which were not
> accepted any of the previous statements.
> 
> -- 
> Bazsi
> PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C
> 8EB1
>      url: http://www.balabit.hu/pgpkey.txt
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng