[syslog-ng] Ignoring previously handled/filtered messages
Balazs Scheidler
bazsi@balabit.hu
Sat, 27 May 2000 11:53:28 +0200
> > I tested this, and it seems to work. The configuration I tried:
> >
> > options { keep_hostname(yes); };
> >
> > source src { unix-stream("proba2"); internal(); };
> >
> > destination ftpd { file("ftplog"); };
> > destination named { file("namedlog"); };
> > destination daemon { file("daemonlog"); };
> >
> > filter f_ftpd { match("ftp"); };
> > filter f_named { match("named"); };
> > filter f_daemon { facility(daemon); };
> >
> > log { source(src); filter(f_ftpd); destination(ftpd); };
> > log { source(src); filter(f_named); destination(named); };
> > log { source(src); filter(f_daemon); filter(DEFAULT); destination(daemon); };
>
> I'm confused here... Does that last line above cause JUST the unlogged
> filter(f_daemon) messages to go to the daemon destination? Or would it also
> catch any other unfiltered (non-daemon-facility) messages also?
>
> Do multiple filters on a log line treated as "OR" or as "AND" filters?
> Meaning does it only log where the messages passes both filters? Or where it
> passes either filter listed? If it does an "AND" and it must pass both
> filters, then you are correct and this will do exactly what I desire. Thanks!
They are ANDed. I've written a paragraph about log path evaluation in the
documentation.
>
> > The lines I logged:
> >
> > balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp"
> > balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named"
> > balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq"
> >
> > All of them went to the expected location.
>
> So, the "ftp" one went only to the ftplog, the "named" when only to the
> namedlog, and the "qqq" went only to the daemonlog, correct?
yes.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt