[syslog-ng] complex filtering

Un L'Unique un@pebble.dhs.org
Tue, 25 Apr 2000 16:34:37 +0200


Balazs Scheidler wrote:
> 
> >
> > Im currently building our loghost syslog-ng conf file and encounter a problem. How can I filter message so that only not-alredy-routed line will be routed/filtered again ?
> >
> > For example, I am trying to send ssh line to a dedicated log file, since sshd send its message to the deamon facility and that ( generic) daemon facility are send to a generic file, a given line appereas in both file and that waste my disk space :-).
> >
> > I am trying to solve that by adding "and not filter(f_ssh)" in my dameon filter but it does nothing ( not even syntax error message).
> >
> > Is there any error ? Is there another way ?
> >
> > Thanks for any help.
> 
> The filter way should work, if it doesn't, it's a bug. There's a feature you
Well, I just try with 1.4.3 version, I am sorry but I think I catch a bug :-)
I can send you the conf file if needed.
Anyway this not a very convenient solution as when I modify a rules, I have to modify it in 2 place...and forgot.
I would like another one, if possible.


> may use here. You can define default log statements:
> 
> log { source(src); filter(DEFAULT); destination(dst); };
> 
> This is a catchall statement, and should catch all messages which were not
> accepted any of the previous statements.
I tried to add it the the daemon filter but it change nothing, logline continue to appears in the daemon log file.
I try to add it in the log {} but syslog stop with:
Default statement may not have additional filters.
center.c:114: failed assertion `d->ref'
Abort (core dumped)




I want to have ssh logline only in the ssh log I define and not in the daemon log and ssh log. I have plenty of those needs :-)

Is there any way to performe that ?

S.R.

this "don't work": -)
....
filter f_ssh		{ program("ssh.*");	};
filter f_daemon		{
	facility(daemon)
	and not	filter(f_cyrus-imapd)
	and not	filter(f_ssh)
	and not filter(f_ntp)
	and not filter(f_named)
	and filter( DEFAULT);

	};
....
log
{
	source( local);
	source( network);

	filter( f_ssh);
	destination( d_ssh);
};

log
{
	source( local);
	source( network);

	filter( f_daemon);
	destination( d_daemon);
};

sshd use daemon.info facility.