[syslog-ng]bug? OR dont seem to work right.

[Balazs Scheidler]

> Whenever I combine 2 filters with a 'OR', it matches just about anything.
> (except if those 2 filters are of different kind, like program & facility,
> etc.. )
> 
> For exemple :
>   destination trylog { file("/var/log/CransMisc/try.log" owner("root")
> group("adm") perm(0640)); };
>   filter f_stunnel { program("stunnel"); };
>   filter f_squid { program("squid"); };
>   filter f_try { filter(f_stunnel) or filter (f_squid); };   #(bug1)
>   log { source(src);  filter(f_try);   destination(trylog); };
> 
> will put all kinds of stuff in try.log, with program names that contain
> neither 'tunnel' nor 'squid'.
> (eg: 'cucipop' lines end up in try.log... )
> 
> Same thing if I define f_try directly, without using f_stunnel and f_squid,
> as :
>   filter f_try { program("stunnel") or program("squid"); };   #(bug2)
> Also, the 'or' does strange thing with other filters than 'program', like :
>   filter f_try { program("local2") or facility("local3"); };   #(bug3)

hmm.. Could you send me the exact messages going to wrong place? because I
couldn't reproduce the problem, the filters were working fine. I tried the
following messages:

Jan 18 21:04:04 bzorp squid: Modem hangup 1
Jan 18 21:04:04 bzorp pppd[1911]: Modem hangup 2
Jan 18 21:04:04 bzorp cucipop: Modem hangup 2
Jan 18 21:04:04 bzorp stunnel[1911]: Modem hangup 3

syslog-ng correctly filtered squid and stunnel, others were dropped. I also
tried deleting the PID value, but it didn't change.

> Isn't that a bug in syslog-ng ??

> -- Sam
> PS: this aside, syslog-ng is really great, so much better than the old
> awkward syslogd..

thanks

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt