[syslog-ng] Ignoring previously handled/filtered messages

Ilya maillist@krel.org
Wed, 24 May 2000 14:36:59 -0400

filter nf_send { not program("sendmail"); };
log { source("src2"); filter("h_lists"); filter("nf_send");
destination("lists"); };
this works for me

From: "John Goggan" <jgoggan@dcg.com>
To: "syslog-ng Mailing List" <syslog-ng@lists.balabit.hu>
Wednesday, May 24, 2000 2:18 PM
Subject: [syslog-ng] Ignoring previously handled/filtered messages

> Hello all.  I am new to syslog-ng (today) and have a question.  I have
> through all of the documentation that I can find -- as well as scanned the
> mailing list archives, and cannot find a solution.  In fact, I see that Un
> L'Unique had this same problem last month, and it was partially discussed,
> there was no final answer.
> Basically, it seems that there should be an easy way to make syslog-ng NOT
> resend messages that have already been sent to some other log.  Here is
what I
> am trying to do...  I have several daemons (we'll shorten the list to just
> ftpd and named for this example) that currently send daemon.info messages.
> want each application to have its own log file. So, I have tried
> them like this:
> destination ftpd { file("/var/log/ftplog"); };
> destination named { file("/var/log/namedlog"); };
> destination daemon { file("/var/log/daemonlog"); };
> filter f_ftpd { program("ftpd"); };
> filter f_named { program("named"); };
> filter f_daemon { facility(daemon); };
> log { source(src); filter(f_ftpd); destination(ftpd); };
> log { source(src); filter(f_named); destination(named); };
> log { source(src); filter(f_daemon); destination(daemon); };
> This makes messages for ftpd go to ftpdlog and for named go to namedlog.
> problem is that they still also go to the daemonlog since they are
> messages.  What I want is a way to tell syslog-ng that I do NOT want it to
> also send those to the daemonlog file.  It seems that there should be a
> directive to say "send these to this log ONLY if they haven't already been
> handled."
> I did try doing this for the daemon filter:
> filter f_daemon { facility(daemon)
>                 and not filter(f_ftpd)
>                 and not filter(f_named); };
> ...but this does not work.  I still get the ftpd and named messages in
> daemonlog (as well as ftpdlog and namedlog).  This is exactly what Un
> experienced last month when he said that the "not filter" did not appear
to be
> working for him. I get the same behavior -- it does not work for me.  This
> however, not even a good system even if it DID work, because then I would
> to specific each and ever "not filter" for other daemons that are handled
> remember to add them each time I add logging for a new daemon.  It would
> be so much better if the facility(daemon) could be told to only log daemon
> messages that were NOT already logged elsewhere.  I believe that this can
> done (and is the default behavior) in standard syslog.
> I tried working with the filter(DEFAULT) command, but this also did not
> to do what I wanted since I can't tell it to JUST do it for
> Thank you!
>  - John...
