[syslog-ng] Ignoring previously handled/filtered messages

John Goggan jgoggan@dcg.com
Wed, 24 May 2000 14:18:03 -0400

Hello all.  I am new to syslog-ng (today) and have a question.  I have looked
through all of the documentation that I can find -- as well as scanned the
mailing list archives, and cannot find a solution.  In fact, I see that Un
L'Unique had this same problem last month, and it was partially discussed, but
there was no final answer.

Basically, it seems that there should be an easy way to make syslog-ng NOT
resend messages that have already been sent to some other log.  Here is what I
am trying to do...  I have several daemons (we'll shorten the list to just
ftpd and named for this example) that currently send daemon.info messages.  I
want each application to have its own log file. So, I have tried configuring
them like this:

destination ftpd { file("/var/log/ftplog"); };
destination named { file("/var/log/namedlog"); };
destination daemon { file("/var/log/daemonlog"); };
filter f_ftpd { program("ftpd"); };
filter f_named { program("named"); };
filter f_daemon { facility(daemon); };
log { source(src); filter(f_ftpd); destination(ftpd); };
log { source(src); filter(f_named); destination(named); };
log { source(src); filter(f_daemon); destination(daemon); };

This makes messages for ftpd go to ftpdlog and for named go to namedlog.  The
problem is that they still also go to the daemonlog since they are daemon.info
messages.  What I want is a way to tell syslog-ng that I do NOT want it to
also send those to the daemonlog file.  It seems that there should be a
directive to say "send these to this log ONLY if they haven't already been

I did try doing this for the daemon filter:

filter f_daemon { facility(daemon)
                and not filter(f_ftpd)
                and not filter(f_named); };

...but this does not work.  I still get the ftpd and named messages in
daemonlog (as well as ftpdlog and namedlog).  This is exactly what Un L'Unique
experienced last month when he said that the "not filter" did not appear to be
working for him. I get the same behavior -- it does not work for me.  This is,
however, not even a good system even if it DID work, because then I would have
to specific each and ever "not filter" for other daemons that are handled and
remember to add them each time I add logging for a new daemon.  It would just
be so much better if the facility(daemon) could be told to only log daemon
messages that were NOT already logged elsewhere.  I believe that this can be
done (and is the default behavior) in standard syslog.

I tried working with the filter(DEFAULT) command, but this also did not seem
to do what I wanted since I can't tell it to JUST do it for facility(daemon).

Thank you!

 - John...