[syslog-ng] Ignoring previously handled/filtered messages

Un L'Unique un@pebble.dhs.org
Fri, 02 Jun 2000 14:29:11 +0200 

Balazs Scheidler wrote:
> 
> > > Agreed.  What I'd like is a clause that means "log this only if not yet
> > > handled".  That way, we get it both ways -- if you don't specify anything, you
> > > get the current behavior, in which it would go to both logs.  Plus, with the
> > > "not-yet-logged" clause, I could catch everything where I want it, and then do
> > > the "not-yet-logged" clause just for the remaining facility(daemon), for
> > > example.
> >
> > The DEFAULT filter exists for exactly this purpose. It may be buggy since I
> > haven't touched that feature since 1.3.xx (when I implemented it), but the
> > syntax looks like this:
> >
> > log { source(src); filter(DEFAULT); destination(dst); };
> >
> > DEFAULT filters all not-yet-handled messages. I'll check out the other not
> > expression bugs as well.
> 
> I tested this, and it seems to work. The configuration I tried:
> 
> options { keep_hostname(yes); };
> 
> source src { unix-stream("proba2"); internal(); };
> 
> destination ftpd { file("ftplog"); };
> destination named { file("namedlog"); };
> destination daemon { file("daemonlog"); };
> 
> filter f_ftpd { match("ftp"); };
> filter f_named { match("named"); };
> filter f_daemon { facility(daemon); };
> 
> log { source(src); filter(f_ftpd); destination(ftpd); };
> log { source(src); filter(f_named); destination(named); };
> log { source(src); filter(f_daemon); filter(DEFAULT); destination(daemon); };
> 
> The lines I logged:
> 
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp"
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named"
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq"
> 
> All of them went to the expected location.
Well, not for me :-) ( V 1.4.3)


Since I can't make it work, I made a very simple configuration and found strange things:
log
{
	source( local);
	source( network);

	filter( f_bash);
	destination( d_bash);
};

log
{
	source( local);
	source( network);

	filter( f_auth);
#	filter( DEFAULT);
	destination( d_auth);
};

bash-log line appers in both file as expected.
If I remove the comment, when, bash-log appers only in bash file, but some strange new things appers in the deamon file: some old kernel one ( few days old) and inedt one "Jun  2 12:36:18 ts inetd[188]: /usr/openwin/bin/Xaserver: Hangup"

Since filter directive are supposed to be ANDed, I am a bit confused.

I am still debugging...

Un

P.S: Thanks to John Goggan, explaning my problem better than me :-)