[syslog-ng]filter(DEFAULT); not working?
Volker Apelt
va@org.chemie.uni-frankfurt.de
Fri, 13 Jul 2001 13:33:15 +0200 (CEST)
Hallo,
I tried to use the filter(DEFAULT); expression but failed.
Entries like
<<datum>> www imapd[27520]: open: user va opened INBOX.misc.Tipps-und-Tricks
<<datum>> www imapd[27520]: open: user va opened INBOX.OS.Netware.Tools
<<datum>> www imapd[27520]: open: user va opened INBOX.Abfall
<<datum>> www imapd[27555]: login: apelt-pc.in-house[192.168.51.2] va plaintext
<<datum>> www imapd[27555]: seen_db: user va opened /var/imap/user/v/va.seen
<<datum>> www imapd[27555]: open: user va opened user.va.Listen.SuSE.Security
go to the default destination, too, although they have been written to some
other destination already _and_ are explicitly excluded in the DEFAULT
expression.
Here is the log expression, which is responsible for the mysterious
filter results.
#all, not yet handled, should be low traffic
log { source(src);
filter(l_warn_or_worse);
filter(F_not_mail); filter(F_not_news);
filter(F_not_syslog); filter(f_not_kommunikation);
filter(DEFAULT);
destination(daemon); };
Is this a case of docu missinterpretation ?
I have appended a shortend version of my syslog-ng.conf file a below.
Thanks
Volker Apelt
--
Volker Apelt Group of Prof. Dr. Ch. Griesinger
Dipl. Chem. Johann Wolfgang Goethe Universität
+49 6172 31126 Frankfurt am Main, Germany
va .@. org.chemie.uni-frankfurt.de (remove the dots, please)
###### part of syslog-ng.conf
options { long_hostnames(off); sync(0); };
source src {
unix-stream("/dev/log");
file("/proc/kmsg");
unix-stream("/cache/chroot/named/dev/log");
internal(); };
destination daemon { file("/var/log/daemon"); };
destination mailstore_info { file("/var/log/mail/mail_store.info"); };
destination mailstore_warn { file("/var/log/mail/mail_store.warn"); };
destination mailstore_err { file("/var/log/mail/mail_store.err"); };
filter F_news { facility(news); };
filter F_not_mail { not facility(mail); };
filter F_not_user { not facility(user); };
filter F_not_news { not facility(news); };
### Levels
# debug, info, notice, warning, err, crit, alert, emerg
filter l_debug { level(debug); };
filter l_debug_or_worse { level(debug..emerg); };
filter l_info { level(info); };
filter l_info_or_worse { level(info..emerg); };
filter l_normal { level(info..notice); };
filter l_not_debug { level(info..emerg); };
filter l_notice { level(notice); };
filter l_notice_or_worse { level(notice..emerg); };
filter l_warn { level(warn); };
filter l_warn_or_worse { level(warn..emerg); };
filter l_err { level(err); };
filter l_err_or_worse { level(err..emerg); };
filter l_crit { level(crit); };
filter l_crit_or_worse { level(crit..emerg); };
filter l_alert { level(alert); };
filter l_alert_or_worse { level(alert..emerg); };
filter l_emergency { level(emerg); };
filter f_mailstore {
not program("postfix.*") and (
program("imapd.*")
or program("imap.*")
or program("popper.*")
or program("procmail.*")
) ;
};
filter f_not_kommunikation {
not program("imap.*")
and not program("imapd.*")
and not program("leafnode.*")
and not program("mailfw.*")
and not program("popper.*")
and not program("postfix.*")
and not program("procmail.*")
and not program("qmgr.*")
and not program("sendmail.*")
and not program("test_filter.*")
and not program("fetchnews")
and not program("imapd.*")
and not program("postfix.*")
and not program("texpire");
};
#
# a lot of other log {}; destinations ..
#
## mail store server
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_debug_or_worse); destination(dev_null);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_normal); destination(mailstore_info);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_warn_or_worse); destination(mailstore_warn);};
log { source(src); filter(F_mail);filter(f_mailstore); filter(l_err_or_worse); destination(mailstore_err);};
#all, not yet handled, should be low traffic
log { source(src);
filter(l_warn_or_worse);
filter(F_not_mail); filter(F_not_news);
filter(F_not_syslog); filter(f_not_kommunikation);
filter(DEFAULT);
destination(daemon); };