[syslog-ng] Ignoring previously handled/filtered messages

[John Goggan]

Balazs Scheidler wrote:
> The DEFAULT filter exists for exactly this purpose. It may be buggy since I
> haven't touched that feature since 1.3.xx (when I implemented it), but the
> syntax looks like this:
> 
> log { source(src); filter(DEFAULT); destination(dst); };
> 
> DEFAULT filters all not-yet-handled messages. I'll check out the other not
> expression bugs as well.

As I tried to explain before, I have looked into filter(DEFAULT), but it does
NOT do what I want.  The problem is that it only catches EVERYTHING that has
not yet been logged.  I want to do it for specific things (such as a specific
facility).  I think the idea of the DEFAULT filter is what I'm looking for --
but not on such a generic level.

Again, my original desire was as follows:

-log specific daemons (ftpd, telnetd, imapd, sendmail) to their own log files.
-log all other non-specified facility(daemon) messages to a daemon log file
and no where else.

Currently, I can do this if I specify the specific daemons as "not
program(whatever)" in the facility(daemon) filter.  The problem is that each
time I add a new daemon to have its own log, I have to remember to add it to
at least 3 different NOT filters if I don't want it to show up in the daemon
or other various logs!  This is bad.

The filter(DEFAULT) will only catch EVERYTHING that hasn't been logged.  This
isn't good since it will get much more than the leftover facility(daemon)
messages.  If filter(DEFAULT) could be made more specific, then I think it
would be what some of us are asking for.  For example, if I could do
"filter(daemon,DEFAULT)" to get all of the facility(daemon) messages that
hadn't been logged yet, that would make it much more useful.

Of course, I can see people wanting to do "filter(debug,DEFAULT)" instead to
try to catch all of the unfiltered level debug messages, so maybe some other
syntax to be able to specify a facility or level or whatever would be more
appropriate...

Thanks...

 - John...