[syslog-ng]Filtering "syslog-ng daemon" logs
Balazs Scheidler
bazsi@balabit.hu
Tue, 5 Jun 2001 09:21:14 +0200
On Mon, Jun 04, 2001 at 01:06:11PM -0700, Eric Parusel wrote:
> Hi,
>
> I'd like to filter out the syslog-ng logs that I get in my
> /var/log/messages file.
> Can I use a command-line flag to turn off these logs?:
>
> Jun 4 10:20:00 ldap1 syslog-ng[84369]: io.c: do_write: write() failed
> (errno 32), Broken pipe
> Jun 4 10:20:00 ldap1 syslog-ng[84369]: Connection broken, reopening
> in 60 seconds
> Jun 4 10:21:00 syslog1 syslog-ng[274]: AF_INET client connected from
> 127.0.0.1, port 1046
>
> If not, can will the following filter work?
>
> filter f_nosyslog-ng { program("syslog-ng") and ( match("io\.c\:") or
> match("Connection\ broken\,\ reopening") or match("SIGHUP") or
> match("AF_INET_client") ); };
>
> Did I use the brackets correctly? filter foo { program() and
> (match() or match() ); };
> I'm no expert with regular expressions or syslog-ng filters, so bear
> with me :)
An easier solution would be to separate your internal() source from your
other logs like this:
source s_internal { internal(); };
source s_local { unix-stream("/dev/log"); };
destination d_messages { file("/var/log/messages"); };
destination d_syslogng { file("/var/log/syslogng"); };
log { source(s_internal); destination(d_syslogng); };
log { source(s_local); destination(d_messages); };
> As well, I'm using a tcp connection over stunnel, I would assume that
> it is normal to receive these messages occasionally?
if your network goes out of service your connections will most probably be
broken.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1