[syslog-ng] Ignoring previously handled/filtered messages
Balazs Scheidler
bazsi@balabit.hu
Fri, 26 May 2000 10:30:50 +0200
> > Agreed. What I'd like is a clause that means "log this only if not yet
> > handled". That way, we get it both ways -- if you don't specify anything, you
> > get the current behavior, in which it would go to both logs. Plus, with the
> > "not-yet-logged" clause, I could catch everything where I want it, and then do
> > the "not-yet-logged" clause just for the remaining facility(daemon), for
> > example.
>
> The DEFAULT filter exists for exactly this purpose. It may be buggy since I
> haven't touched that feature since 1.3.xx (when I implemented it), but the
> syntax looks like this:
>
> log { source(src); filter(DEFAULT); destination(dst); };
>
> DEFAULT filters all not-yet-handled messages. I'll check out the other not
> expression bugs as well.
I tested this, and it seems to work. The configuration I tried:
options { keep_hostname(yes); };
source src { unix-stream("proba2"); internal(); };
destination ftpd { file("ftplog"); };
destination named { file("namedlog"); };
destination daemon { file("daemonlog"); };
filter f_ftpd { match("ftp"); };
filter f_named { match("named"); };
filter f_daemon { facility(daemon); };
log { source(src); filter(f_ftpd); destination(ftpd); };
log { source(src); filter(f_named); destination(named); };
log { source(src); filter(f_daemon); filter(DEFAULT); destination(daemon); };
The lines I logged:
balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp"
balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named"
balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq"
All of them went to the expected location.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt