[syslog-ng]Ok, I think I've got it now...

Hamilton, Andrew Mr RAYTHEON 5 SIG CMD HamiltonA@hq.5sigcmd.army.mil
Mon, 6 Aug 2001 06:50:18 +0200


Michael,

Syslog-ng is supposed to do this.  As long as the message matches any
filter, which in your case it does, syslog-ng will log the message.  The
only way to prevent this is to make your filters unique.  Your configuration
looks good but several of your filters will cause your messages to match
more than once and will log multiple times.

Regards,
Drew
-----Original Message-----
From: Michael Hargadon [mailto:MHargadon@ITDepartment.com]
Sent: Friday, August 03, 2001 7:34 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]Ok, I think I've got it now...


Good afternoon.

Some time ago I posted a question about matching RegExes and filtering log
messages using Syslog-NG.  After some investigation, I've determined the
following:

1) My regexp's are defined properly
2) Messages are being matched and diverted to the appropriate location
3) The matched messages are still showing up in /var/log/syslog anyways.

Since I'm attempting to monitor about fifty Windows NT computers I need some
way by which I can filter out the more useless messages (document x was
printed, some sucker logged off, etc.).  My configuration is as follows:

options { long_hostnames(off); sync(0); };
source src { unix-stream("/dev/log"); internal(); udp(); file("/proc/kmsg");
};
destination authlog { file("/var/log/auth.log" owner("root") group("adm")
perm(0640)); };
destination syslog { file("/var/log/syslog" owner("root") group("adm")
perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm")
perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm")
perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm")
perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm")
perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm")
perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm")
perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm")
perm(0640)); };
destination null { file("/var/log/filtered" owner("root") group("root")
perm(0666)); };
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm")
perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm")
perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm")
perm(0640)); };
destination debug { file("/var/log/debug" owner("root") group("adm")
perm(0640)); };
destination messages { file("/var/log/messages" owner("root") group("adm")
perm(0640)); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty8"); };
destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm")
perm(0640)); };

# Filters here

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
        and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail); };
filter ppp { facility(local2); };

# Begin NT Event Log Filters Here
# Successful Logon
# one sample only please
filter f_nt0014 { match("POP3 connection accepted from"); };

# Log destinations now please
log  { source(src);  filter(f_nt0014); destination(null); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };


log { source(src); filter(f_cnews); destination(xconsole); };
log { source(src); filter(f_cother); destination(xconsole); };

log { source(src); filter(ppp); destination(ppp); };


Now, if I receive a message as follows:
Aug  3 12:55:40 Mail Application        236515  Fri Aug 03 12:53:55 2001
1073818460      MSExchange Pop3 Interface    N/A      N/A     Information
xxxxxxx  POP3 connection accepted from xxx.xxx.xxx.xx

I'll see that message pop up in /var/log/filtered.  I'll also see exactly
the same message pop up in /var/log/syslog.  I know I've got to be
overlooking something quite obvious here -- can anyone offer any assistance
with this?

Regards,
Michael Hargadon


_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng