[syslog-ng] Ignoring previously handled/filtered messages

Balazs Scheidler bazsi@balabit.hu
Fri, 26 May 2000 10:30:50 +0200

> > Agreed.  What I'd like is a clause that means "log this only if not yet
> > handled".  That way, we get it both ways -- if you don't specify anything, you
> > get the current behavior, in which it would go to both logs.  Plus, with the
> > "not-yet-logged" clause, I could catch everything where I want it, and then do
> > the "not-yet-logged" clause just for the remaining facility(daemon), for
> > example.
> The DEFAULT filter exists for exactly this purpose. It may be buggy since I
> haven't touched that feature since 1.3.xx (when I implemented it), but the
> syntax looks like this:
> log { source(src); filter(DEFAULT); destination(dst); };
> DEFAULT filters all not-yet-handled messages. I'll check out the other not
> expression bugs as well.

I tested this, and it seems to work. The configuration I tried:

options { keep_hostname(yes); };

source src { unix-stream("proba2"); internal(); };

destination ftpd { file("ftplog"); };
destination named { file("namedlog"); };
destination daemon { file("daemonlog"); };

filter f_ftpd { match("ftp"); };
filter f_named { match("named"); };
filter f_daemon { facility(daemon); };

log { source(src); filter(f_ftpd); destination(ftpd); };
log { source(src); filter(f_named); destination(named); };
log { source(src); filter(f_daemon); filter(DEFAULT); destination(daemon); };

The lines I logged:

balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp"
balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named"
balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq"

All of them went to the expected location.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt