[syslog-ng] Ignoring previously handled/filtered messages

[John Goggan]

Balazs Scheidler wrote:
> I tested this, and it seems to work. The configuration I tried:
> 
> options { keep_hostname(yes); };
> 
> source src { unix-stream("proba2"); internal(); };
> 
> destination ftpd { file("ftplog"); };
> destination named { file("namedlog"); };
> destination daemon { file("daemonlog"); };
> 
> filter f_ftpd { match("ftp"); };
> filter f_named { match("named"); };
> filter f_daemon { facility(daemon); };
> 
> log { source(src); filter(f_ftpd); destination(ftpd); };
> log { source(src); filter(f_named); destination(named); };
> log { source(src); filter(f_daemon); filter(DEFAULT); destination(daemon); };

I'm confused here...   Does that last line above cause JUST the unlogged
filter(f_daemon) messages to go to the daemon destination?  Or would it also
catch any other unfiltered (non-daemon-facility) messages also?

Do multiple filters on a log line treated as "OR" or as "AND" filters? 
Meaning does it only log where the messages passes both filters?  Or where it
passes either filter listed?  If it does an "AND" and it must pass both
filters, then you are correct and this will do exactly what I desire.  Thanks!

> The lines I logged:
> 
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp"
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named"
> balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq"
> 
> All of them went to the expected location.

So, the "ftp" one went only to the ftplog, the "named" when only to the
namedlog, and the "qqq" went only to the daemonlog, correct?

Thanks for your time and explaining this...

 - John...