[syslog-ng]position dependencie of rules and "flags(final);"

Volker Apelt volker_apelt@yahoo.de
Fri, 15 Mar 2002 02:52:38 +0100 (CET) 

Hello,


Are syslog rules position dependend?

Is "flags(final);" position dependend?

Is example #1 different from #2 in what it logs?

Theory: 

# example 1  
log { source; filter1; destination1;  }
log { source; filter1; filter2; destination2; flags(final); }

# example 2
log { source; filter1; filter2; destination2; flags(final); }
log { source; filter1; destination1;  }

Let's say, that filter2 matches only a sub set of
the messages caught by filter1 and define:
 
  set1 := messages that matched by filter1 
  set2 := messages that matched by filter2 
  setLeftover  := set1 without messages of set2  
which means
  set1  ==  setLeftover + set2

In example #2 destination1 receives the   
messages of setLeftover and destination2
receives  set2.

But if rules+final are position dependend, 
then destination1 in example #1 will log _all_ 
messages of source1, _including_ those of filter2.
So, destination1 receives the messages of set1

If they are not position dependend both destinations
will receive the same message sets as in example #2.


Is syslog-ng implemented in a way to 


Or as a practical example from my configuration:

Will this configuration do what it is intended to?

## in pseudo code of what I am trying to do.
if ( is it from "ssh" ) {
    if ( is loglevel equal or worse than "error" ){
        send it to D_udp_network  and  D_tty_all
    }
    send it to D_ssh
    final ; # ie: dont send it any place else
}

##
I'll try to solve that with two different rules,
one with a  flag(final) and one without. 

I try to log all messages of ssh into one file 
and all messages of ssh above a certain log level 
(error or worse) shall be send to another destination 
(network + alert tty), too.

All messages caught by the second rule must be 
logged to the first destination and 

No message from ssh shall be logged any place else,
and I don't want to write a filter(f_no_ssh); into 
each and every log{} rule.

#
A message from ssh with loglevel emergency  
If syslog rules are postion dependend

####
options { long_hostnames(off); sync(0); }; 
source S_local  { 
        unix-stream("/dev/log"); file("/proc/kmsg"); 
        internal();};
##
destination D_udp_network{ 
        udp( 192.168.51.2 port(514)); };
destination D_ssh                {  
        file("/var/log/ssh" perm(0640) owner(root) group(log)); };
##
filter l_normal_or_worse   { level(normal..emerg); };
filter l_err_or_worse      { level(err..emerg); };
##
filter f_ssh {
        program("ssh.*") or program("su");
};        
##### TWO RULES accepting  messages from ssh 
##### first  without "final", second  with "final"
## 
##  selected ssh messages of level error or worse
##  send critical ssh messages to all tty's 
log { source(S_local); 
        filter(f_ssh); filter(l_err_or_worse); 
        destination( D_udp_network );
        destination(D_tty_net);  };

## secure login / ssh / su ...
##   shall store all messages (normal ... emerg) of ssh 
log { source(S_local); 
        filter(f_ssh); filter(l_normal_or_worse); 
        destination(D_ssh); 
        flags(final);  };



What kind of output on D_ssh and D_udp_network should
I expect if there are these two messages?

## example messages
#loglevel message
[normal]  datum host sshd[550]:  some normal message of sshd  
[error]   datum host sshd[550]:  some error output of sshd



Thank you,

Volker Apelt
-- 
Volker Apelt   volker_apelt  .@.  yahoo.de (remove the dots, please)   
Dipl. Chem.    +49 6172 31126