[syslog-ng] Ignoring previously handled/filtered messages
John Goggan
jgoggan@dcg.com
Wed, 24 May 2000 18:25:22 -0400
Agreed. What I'd like is a clause that means "log this only if not yet
handled". That way, we get it both ways -- if you don't specify anything, you
get the current behavior, in which it would go to both logs. Plus, with the
"not-yet-logged" clause, I could catch everything where I want it, and then do
the "not-yet-logged" clause just for the remaining facility(daemon), for
example.
- John...
"Ohrberg, Mick" wrote:
>
> IMHO, I WANT the messages to go to several logfiles. For instance, I want a
> message mail.fatal to go to the fatal logfile as well as the mail logfile.
> This way I can trigger on messages in the fatal logfile, look in the mail
> logfile and see if there were any messages in from mail that lead up to the
> fatal situation.
>
> However, when you do the same thing loggin to a remote host, this procedure
> results in four (!) messages being generated. A better way to handle
> 'double' messages would be very very nice.
>
> : -----Original Message-----
> : From: John Goggan [mailto:jgoggan@dcg.com]
> : Sent: Wednesday, May 24, 2000 4:46 PM
> : To: syslog-ng@venus.terrasoft.hu
> : Subject: Re: [syslog-ng] Ignoring previously handled/filtered messages
> :
> :
> :
> : ger wrote:
> : > try
> : > filter f_daemon { facility(daemon) and not program(name);};
> : >
> : > where "name" is whatever program you're trying to filter out.
> :
> : Thanks to Ger and Ilya for their responses. While this does
> : work, it really
> : seems like a poor way to do it to me -- and, I believe, is
> : also quite a bit
> : different from the way standard syslog handles things. The
> : problem is that it
> : should just be easy to make it so that messages are handled
> : only ONCE and then
> : not sent to additional logs unless specifically desires. How
> : many people
> : really want the same syslog message sent to multiple logs
> : most of the time?
> : It just seems that the default (which does this) is the
> : opposite of what most
> : would want.
> :
> : Plus, what needs to be done to get around this just doesn't
> : make any sense.
> : This means that if I want separate logs for imapd, named,
> : telnetd, and ftpd
> : (to name just a few common daemons) -- and I want any other
> : daemons that pop
> : up to still go to a daemon.log, I have to do this in my
> : filter section:
> :
> : filter f_imapd { program("imapd"); };
> : filter f_named { program("named"); };
> : filter f_telnetd { program("telnetd"); };
> : filter f_ftpd { program("ftpd"); };
> : filter f_auth { facility(auth)
> : and not program("imapd")
> : and not program("named")
> : and not program("telnetd")
> : and not program("ftpd"); };
> : filter f_daemon { facility(daemon)
> : and not program("imapd")
> : and not program("named")
> : and not program("telnetd")
> : and not program("ftpd"); };
> : filter f_messages { level(info..warn)
> : and not facility(auth, authpriv, mail, news);
> : and not program("imapd")
> : and not program("named")
> : and not program("telnetd")
> : and not program("ftpd"); };
> :
> : That just seems like a really bad design! I have to make
> : sure that I keep all
> : of the names updated in several different locations. If I
> : want to add a log
> : for just one more daemon, I have to add it to at least 3
> : other filters besides
> : its own filter!
> :
> : Aren't other people experiencing such problems? Or is no one
> : out there using
> : syslog-ng to filter out specific daemons while still catching
> : the unlisted
> : daemons in a daemon.log file?
> :
> : There must be a better way...
> :
> : - John...
> :
> : _______________________________________________
> : syslog-ng maillist - syslog-ng@lists.balabit.hu
> : http://lists.balabit.hu/mailman/listinfo/syslog-ng
> :
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng