[syslog-ng] Ignoring previously handled/filtered messages
Ohrberg, Mick
Mick.Ohrberg@umb.com
Wed, 24 May 2000 17:11:03 -0500
IMHO, I WANT the messages to go to several logfiles. For instance, I want a
message mail.fatal to go to the fatal logfile as well as the mail logfile.
This way I can trigger on messages in the fatal logfile, look in the mail
logfile and see if there were any messages in from mail that lead up to the
fatal situation.
However, when you do the same thing loggin to a remote host, this procedure
results in four (!) messages being generated. A better way to handle
'double' messages would be very very nice.
: -----Original Message-----
: From: John Goggan [mailto:jgoggan@dcg.com]
: Sent: Wednesday, May 24, 2000 4:46 PM
: To: syslog-ng@venus.terrasoft.hu
: Subject: Re: [syslog-ng] Ignoring previously handled/filtered messages
:
:
:
: ger wrote:
: > try
: > filter f_daemon { facility(daemon) and not program(name);};
: >
: > where "name" is whatever program you're trying to filter out.
:
: Thanks to Ger and Ilya for their responses. While this does
: work, it really
: seems like a poor way to do it to me -- and, I believe, is
: also quite a bit
: different from the way standard syslog handles things. The
: problem is that it
: should just be easy to make it so that messages are handled
: only ONCE and then
: not sent to additional logs unless specifically desires. How
: many people
: really want the same syslog message sent to multiple logs
: most of the time?
: It just seems that the default (which does this) is the
: opposite of what most
: would want.
:
: Plus, what needs to be done to get around this just doesn't
: make any sense.
: This means that if I want separate logs for imapd, named,
: telnetd, and ftpd
: (to name just a few common daemons) -- and I want any other
: daemons that pop
: up to still go to a daemon.log, I have to do this in my
: filter section:
:
: filter f_imapd { program("imapd"); };
: filter f_named { program("named"); };
: filter f_telnetd { program("telnetd"); };
: filter f_ftpd { program("ftpd"); };
: filter f_auth { facility(auth)
: and not program("imapd")
: and not program("named")
: and not program("telnetd")
: and not program("ftpd"); };
: filter f_daemon { facility(daemon)
: and not program("imapd")
: and not program("named")
: and not program("telnetd")
: and not program("ftpd"); };
: filter f_messages { level(info..warn)
: and not facility(auth, authpriv, mail, news);
: and not program("imapd")
: and not program("named")
: and not program("telnetd")
: and not program("ftpd"); };
:
: That just seems like a really bad design! I have to make
: sure that I keep all
: of the names updated in several different locations. If I
: want to add a log
: for just one more daemon, I have to add it to at least 3
: other filters besides
: its own filter!
:
: Aren't other people experiencing such problems? Or is no one
: out there using
: syslog-ng to filter out specific daemons while still catching
: the unlisted
: daemons in a daemon.log file?
:
: There must be a better way...
:
: - John...
:
: _______________________________________________
: syslog-ng maillist - syslog-ng@lists.balabit.hu
: http://lists.balabit.hu/mailman/listinfo/syslog-ng
: