[syslog-ng]Why can't I get NOT to work in a filter?

Chad White CAWhite@medicalogic.com
Wed, 13 Feb 2002 13:46:22 -0800


Hi all,
I am trying to filter out some things from my log files using a filter with
a NOT command and I can't get it to work.  I am running Syslog-ng 1.4.14 on
Solaris 8 (SPARC).  What I am trying to do in this case is ensure that sudo
doesn't get logged into my /var/adm/messages file.  Here are the pertinent
lines of my config file:

options { dir_perm(0755); perm(0640); owner(root); group(wheel);
chain_hostnames
(no); keep_hostname(yes); };

source local {
        sun-streams("/dev/log" door ("/etc/.syslog_door") );
        internal();
};

filter not_sudo {
        not facility(local2);
};
filter notice_emerg {
        level(notice...emerg);
};

destination messages {
        file("/var/adm/messages" create_dirs(yes));
};

log { source(local); filter(notice_emerg); filter(not_sudo);
destination(message
s); };

Now, it is my understanding that the filters are AND'd together so that log
statement should basically say "log everything with a level between notice
and emergency unless it is facility(local2)."  However, I am still getting
this is my log files:

Dec 30 03:32:24 hqmon /usr/local/bin/sudo: [ID 850335 local2.notice]
nobody : TTY=unknown ; PWD=/opt/bb18d ; USER=root ; COMMAND=/usr/sbin/vxdisk
check rootdisk

Also another filter that dumps everything from facility(local2) does dump
all the sudo stuff into a file like I want..

Starting to feel like an idiot since I can't get this to work. Can someone
give me some pointers to filtering out just a few cases based on facility or
strings?

thx,
--Chad