[syslog-ng] Ignoring previously handled/filtered messages

Ilya maillist@krel.org
Wed, 24 May 2000 14:36:59 -0400


filter nf_send { not program("sendmail"); };
log { source("src2"); filter("h_lists"); filter("nf_send");
destination("lists"); };
this works for me

----- Original Message -----
From: "John Goggan" <jgoggan@dcg.com>
To: "syslog-ng Mailing List" <syslog-ng@lists.balabit.hu>
Sent: Wednesday, May 24, 2000 2:18 PM
Subject: [syslog-ng] Ignoring previously handled/filtered messages


>
> Hello all.  I am new to syslog-ng (today) and have a question.  I have
looked
> through all of the documentation that I can find -- as well as scanned the
> mailing list archives, and cannot find a solution.  In fact, I see that Un
> L'Unique had this same problem last month, and it was partially discussed,
but
> there was no final answer.
>
> Basically, it seems that there should be an easy way to make syslog-ng NOT
> resend messages that have already been sent to some other log.  Here is
what I
> am trying to do...  I have several daemons (we'll shorten the list to just
> ftpd and named for this example) that currently send daemon.info messages.
I
> want each application to have its own log file. So, I have tried
configuring
> them like this:
>
> destination ftpd { file("/var/log/ftplog"); };
> destination named { file("/var/log/namedlog"); };
> destination daemon { file("/var/log/daemonlog"); };
> filter f_ftpd { program("ftpd"); };
> filter f_named { program("named"); };
> filter f_daemon { facility(daemon); };
> log { source(src); filter(f_ftpd); destination(ftpd); };
> log { source(src); filter(f_named); destination(named); };
> log { source(src); filter(f_daemon); destination(daemon); };
>
> This makes messages for ftpd go to ftpdlog and for named go to namedlog.
The
> problem is that they still also go to the daemonlog since they are
daemon.info
> messages.  What I want is a way to tell syslog-ng that I do NOT want it to
> also send those to the daemonlog file.  It seems that there should be a
> directive to say "send these to this log ONLY if they haven't already been
> handled."
>
> I did try doing this for the daemon filter:
>
> filter f_daemon { facility(daemon)
>                 and not filter(f_ftpd)
>                 and not filter(f_named); };
>
> ...but this does not work.  I still get the ftpd and named messages in
> daemonlog (as well as ftpdlog and namedlog).  This is exactly what Un
L'Unique
> experienced last month when he said that the "not filter" did not appear
to be
> working for him. I get the same behavior -- it does not work for me.  This
is,
> however, not even a good system even if it DID work, because then I would
have
> to specific each and ever "not filter" for other daemons that are handled
and
> remember to add them each time I add logging for a new daemon.  It would
just
> be so much better if the facility(daemon) could be told to only log daemon
> messages that were NOT already logged elsewhere.  I believe that this can
be
> done (and is the default behavior) in standard syslog.
>
> I tried working with the filter(DEFAULT) command, but this also did not
seem
> to do what I wanted since I can't tell it to JUST do it for
facility(daemon).
>
> Thank you!
>
>  - John...
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng
>