[syslog-ng]filter(DEFAULT); not working?

Volker Apelt va@org.chemie.uni-frankfurt.de
Fri, 13 Jul 2001 13:33:15 +0200 (CEST)


Hallo,

I tried to use the filter(DEFAULT); expression but failed.

Entries like 
<<datum>> www imapd[27520]: open: user va opened INBOX.misc.Tipps-und-Tricks                                                                                
<<datum>> www imapd[27520]: open: user va opened INBOX.OS.Netware.Tools                                                                                     
<<datum>> www imapd[27520]: open: user va opened INBOX.Abfall                                                                                               
<<datum>> www imapd[27555]: login: apelt-pc.in-house[192.168.51.2] va plaintext                                                                             
<<datum>> www imapd[27555]: seen_db: user va opened /var/imap/user/v/va.seen                                                                                
<<datum>> www imapd[27555]: open: user va opened user.va.Listen.SuSE.Security       

go to the default destination, too, although they have been written to some
other destination already _and_ are explicitly excluded in the DEFAULT
expression.

Here is the log expression, which is responsible for the mysterious 
filter results.

#all, not yet handled, should be low traffic 
log {   source(src);          
        filter(l_warn_or_worse); 
        filter(F_not_mail);   filter(F_not_news); 
        filter(F_not_syslog); filter(f_not_kommunikation);
        filter(DEFAULT); 
        destination(daemon); };

Is this a case of docu missinterpretation ?

I have appended a shortend version of my syslog-ng.conf file a below. 

Thanks


Volker Apelt
--
Volker Apelt                 Group of Prof. Dr. Ch. Griesinger
Dipl. Chem.                  Johann Wolfgang Goethe Universitšt 
+49 6172 31126               Frankfurt am Main, Germany 
va  .@.  org.chemie.uni-frankfurt.de (remove the dots, please)   

###### part of syslog-ng.conf

options { long_hostnames(off); sync(0); }; 

source src { 
        unix-stream("/dev/log"); 
        file("/proc/kmsg"); 
        unix-stream("/cache/chroot/named/dev/log"); 
        internal(); };

destination daemon         { file("/var/log/daemon"); };
destination mailstore_info { file("/var/log/mail/mail_store.info"); };
destination mailstore_warn { file("/var/log/mail/mail_store.warn"); };
destination mailstore_err  { file("/var/log/mail/mail_store.err");  };


filter F_news     { facility(news); };
filter F_not_mail { not facility(mail); };
filter F_not_user { not facility(user); }; 
filter F_not_news { not facility(news); };

### Levels
# debug, info, notice, warning, err, crit, alert, emerg
filter l_debug           { level(debug); };
filter l_debug_or_worse  { level(debug..emerg); };
filter l_info            { level(info); };
filter l_info_or_worse   { level(info..emerg); };
filter l_normal          { level(info..notice); };
filter l_not_debug       { level(info..emerg); };
filter l_notice          { level(notice); };
filter l_notice_or_worse { level(notice..emerg); };
filter l_warn            { level(warn); };
filter l_warn_or_worse   { level(warn..emerg); };
filter l_err             { level(err); };
filter l_err_or_worse    { level(err..emerg); };
filter l_crit            { level(crit); };
filter l_crit_or_worse   { level(crit..emerg); };
filter l_alert           { level(alert); };
filter l_alert_or_worse  { level(alert..emerg); };
filter l_emergency       { level(emerg); };


filter f_mailstore {
        not program("postfix.*") and (
            program("imapd.*") 
        or  program("imap.*") 
        or  program("popper.*") 
        or  program("procmail.*")
        ) ;        
};        

filter f_not_kommunikation {
            not program("imap.*") 
        and not program("imapd.*")
        and not program("leafnode.*") 
        and not program("mailfw.*") 
        and not program("popper.*") 
        and not program("postfix.*") 
        and not program("procmail.*")
        and not program("qmgr.*") 
        and not program("sendmail.*")
        and not program("test_filter.*") 
        and not program("fetchnews")
        and not program("imapd.*") 
        and not program("postfix.*") 
        and not program("texpire");
};        

#
# a lot of other log {}; destinations ..
#

## mail store server 
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_debug_or_worse); destination(dev_null);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_normal); destination(mailstore_info);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_warn_or_worse); destination(mailstore_warn);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_err_or_worse); destination(mailstore_err);};

#all, not yet handled, should be low traffic 
log {   source(src);          
        filter(l_warn_or_worse); 
        filter(F_not_mail);   filter(F_not_news); 
        filter(F_not_syslog); filter(f_not_kommunikation);
        filter(DEFAULT); 
        destination(daemon); };