Re [syslog-ng] Ignoring previously handled/filtered messages
Hamilton, Andrew Mr.
HamiltonA@hq.5sigcmd.army.mil
Fri, 26 May 2000 07:16:15 +0200
I like the configuration option as well. I would like to be able to
duplicate some but not others. Of course we all want as fine a grain of
control as we can get. I do all the filtering and parsing and reporting on
a considerable amount of log information, and while several places need to
see some of the same logs, for the most part only the sysadmins are
interested in it. I make the reports I generate from the logs available on
the local intranet for whoever is interested, but I don't get to make all of
it available. The security people are funny about that. For the stuff I
want duplicated I can easily add a second or a third or a ... destination()
to a log function and get my duplication that way. Matter of fact I prefer
to do this as it gives ME the control over the logging.
Anyway just my $.02 worth.
Thanks
Drew
> -----Original Message-----
> From: offset [SMTP:offset@privacyx.com]
> Sent: Thursday, May 25, 2000 7:31 PM
> To: syslog-ng@venus.terrasoft.hu
> Subject: Re [syslog-ng] Ignoring previously handled/filtered messages
>
> I like the idea of having syslog messages duplicated.
>
> In a very large enterprise you have multiple groups wanting access to
> the same information.
>
> System administration is looking for availability related logs
> Security administration is looking for security related logs.
> Groups above may having overlapping facility and level requirements.
>
> Such as SysAdmins needing kern.notice for kernel output, and SecAdmins
> needing this log to catch Solaris stack executable buffer overflow
> attempts.
>
> If I were in security parsing syslog output, I would not want the system
> administration group grabbing all the content with nothing left for the
> security administrators to pull from. This is especially true for
> environments where system administration and security administration for
> a server has been separated into different groups with different
> management reporting structures.
>
> Perhaps as a compromise, a configuration setting in syslog-ng that
> controls fall-through.
>
> -- offset --
>
> John Goggan wrote:
>
> > ger wrote:
> > > try
> > > filter f_daemon { facility(daemon) and not program(name);};
> > >
> > > where "name" is whatever program you're trying to filter out.
> >
> > Thanks to Ger and Ilya for their responses. While this does work, it
> really
> > seems like a poor way to do it to me -- and, I believe, is also quite a
> bit
> > different from the way standard syslog handles things. The problem is
> that it
> > should just be easy to make it so that messages are handled only ONCE
> and then
> > not sent to additional logs unless specifically desires. How many
> people
> > really want the same syslog message sent to multiple logs most of the
> time?
> > It just seems that the default (which does this) is the opposite of what
> most
> > would want.
> >
> > Plus, what needs to be done to get around this just doesn't make any
> sense.
> > This means that if I want separate logs for imapd, named, telnetd, and
> ftpd
> > (to name just a few common daemons) -- and I want any other daemons that
> pop
> > up to still go to a daemon.log, I have to do this in my filter section:
> >
> > filter f_imapd { program("imapd"); };
> > filter f_named { program("named"); };
> > filter f_telnetd { program("telnetd"); };
> > filter f_ftpd { program("ftpd"); };
> > filter f_auth { facility(auth)
> > and not program("imapd")
> > and not program("named")
> > and not program("telnetd")
> > and not program("ftpd"); };
> > filter f_daemon { facility(daemon)
> > and not program("imapd")
> > and not program("named")
> > and not program("telnetd")
> > and not program("ftpd"); };
> > filter f_messages { level(info..warn)
> > and not facility(auth, authpriv, mail, news);
> > and not program("imapd")
> > and not program("named")
> > and not program("telnetd")
> > and not program("ftpd"); };
> >
> > That just seems like a really bad design! I have to make sure that I
> keep all
> > of the names updated in several different locations. If I want to add a
> log
> > for just one more daemon, I have to add it to at least 3 other filters
> besides
> > its own filter!
> >
> > Aren't other people experiencing such problems? Or is no one out there
> using
> > syslog-ng to filter out specific daemons while still catching the
> unlisted
> > daemons in a daemon.log file?
> >
> > There must be a better way...
> >
> > - John...
> >
> > _______________________________________________
> > syslog-ng maillist - syslog-ng@lists.balabit.hu
> > http://lists.balabit.hu/mailman/listinfo/syslog-ng
> >
> > ----------------------------------------------------------------
> >
> >
> >
> >
> >
> >
> > Link is external to the Privacyx.com System
> >
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng