[syslog-ng]syslog-ng.conf

Hamilton, Andrew Mr RAYTHEON 5 SIG CMD HamiltonA@hq.5sigcmd.army.mil
Wed, 11 Jul 2001 16:02:01 +0200 

And there is always a macro filter $HOST that you could separate all the
hosts into their own files.

destination d_host_logs { file("/var/adm/hosts/$HOST.log"); };

That would save you the performance hit unless there were a great deal of
hosts and you may run out of open file descriptor slots.  Of course this may
not be really what you want as this would put everything in a separate file
by host.  Depends on what you need to do.

Regards,
Drew

-----Original Message-----
From: Nijs, Daniel [mailto:NijsD@telergy.net]
Sent: Wednesday, July 11, 2001 3:13 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng]syslog-ng.conf


This is what I had in mind, but I am not sure what the performance overhead
will be when I have many rules of this type where I want the data in a
seperate file.  For now it will do the job, but hopefully this (a directive
to stop processing the rules any further) could be an option added to the
filter statement in a future release.  Thanks for the help.

Best regards,

Dan

-----Original Message-----
From: Hamilton, Andrew Mr RAYTHEON 5 SIG CMD
[mailto:HamiltonA@hq.5sigcmd.army.mil]
Sent: Wednesday, July 11, 2001 6:13 AM
To: 'syslog-ng@lists.balabit.hu'
Cc: Nijs, Daniel
Subject: RE: [syslog-ng]syslog-ng.conf


Dan,

It's true that syslog-ng continues to log after a match was found and this
is a necessary function of the software.  It logs as long as a match is
found.  Your best bet on filtering out the things you don't want in the log
by using the boolean operators in you filters:

filter f_host_ip { facility(daemon) and not host("10.10.10.10"); };

Something of this nature and then add your host in a filter:

filter f_myhost { facility(daemon) and host("10.10.10.10"); };

Like that.

Hope that helps.

Regards,
Drew

-----Original Message-----
From: Nijs, Daniel [mailto:NijsD@telergy.net]
Sent: Tuesday, July 10, 2001 9:28 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]syslog-ng.conf


Hello,

I am relatively new to syslog-ng (only been running it for a month) and love
the software.  I would like to congratulate the author on doing such a great
job.  This is a powerful product, and with this comes complexity, and I have
a few questions I am not able to find an answer for.

I have a webserver logging to a centralized host, and I filter the logs
using specific criteria (i.e. document name).  Let's give this file a name
to make this question easier to understand.  I log this data to hits.log.
Now, I want to filter out a certain IP to a separate file (ip.log), and not
show the entries that were logged to ip.log in hits.log.  It seems that
syslog-ng keeps processing all rules, even after there was a match.  I was
hoping that there was an option to stop processing any further rules for
that matched data to solve this problem, but am unable to find any solution.
Does anyone have any suggestions on how to do this?  Thanks.

Best regards,

Dan

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng