[syslog-ng]Why can't I get NOT to work in a filter?
Chad White
CAWhite@medicalogic.com
Wed, 13 Feb 2002 13:46:22 -0800
Hi all,
I am trying to filter out some things from my log files using a filter with
a NOT command and I can't get it to work. I am running Syslog-ng 1.4.14 on
Solaris 8 (SPARC). What I am trying to do in this case is ensure that sudo
doesn't get logged into my /var/adm/messages file. Here are the pertinent
lines of my config file:
options { dir_perm(0755); perm(0640); owner(root); group(wheel);
chain_hostnames
(no); keep_hostname(yes); };
source local {
sun-streams("/dev/log" door ("/etc/.syslog_door") );
internal();
};
filter not_sudo {
not facility(local2);
};
filter notice_emerg {
level(notice...emerg);
};
destination messages {
file("/var/adm/messages" create_dirs(yes));
};
log { source(local); filter(notice_emerg); filter(not_sudo);
destination(message
s); };
Now, it is my understanding that the filters are AND'd together so that log
statement should basically say "log everything with a level between notice
and emergency unless it is facility(local2)." However, I am still getting
this is my log files:
Dec 30 03:32:24 hqmon /usr/local/bin/sudo: [ID 850335 local2.notice]
nobody : TTY=unknown ; PWD=/opt/bb18d ; USER=root ; COMMAND=/usr/sbin/vxdisk
check rootdisk
Also another filter that dumps everything from facility(local2) does dump
all the sudo stuff into a file like I want..
Starting to feel like an idiot since I can't get this to work. Can someone
give me some pointers to filtering out just a few cases based on facility or
strings?
thx,
--Chad