[syslog-ng]Newbie Filter question (Solaris)

Mike Nerone syslog-ng@lists.balabit.hu
Fri, 6 Aug 2004 12:03:29 -0500 

You meant to use:
 
==============
filter f_notalteon {
        not match("10.155.68.2") and not match("10.155.68.3");
};
==============
 
Note that the boolean op is "and", not "or". The opposite of "A or B" is
"not A and not B" (see http://www.wordiq.com/definition/Laws_of_logic or
Google "DeMorgan's theorem".

Mike

________________________________

From: syslog-ng-admin@lists.balabit.hu
[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Kenneth Gullberg
Sent: Thursday, July 29, 2004 05:45
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Newbie Filter question (Solaris)


Hi,
 
Im new to syslogng and want to replace the normal syslogd in solaris with
-ng because of the filters. 
 
I run postfix on 2 loadbalanced machines and i want to get rid of the
healthchecks log entries.
 
I setup a conf file that looks like this:
 
options { 
        long_hostnames(off); 
 
        # doesn't actually help on Solaris, log(3) truncates at 1024 chars
        log_msg_size(8192);
 
        # buffer just a little for performance
        sync(1); 
 
        # memory is cheap, buffer messages unable to write (like to loghost)
        log_fifo_size(2048); 
 
        # The time to wait before a dead connection is reestablished
(seconds)
        time_reopen(10);
};
###############################################################
source src { 
        sun-stream("/dev/log" door("/etc/.syslog_door"));
        internal(); 
};
###############################################################
destination alteon { 
        file("/var/log/alteon"); 
};
destination notalteon { 
        file("/var/log/notalteon"); 
};
destination ipf {
        file("/var/log/ipf.log");
};
###############################################################
filter f_mail { 
        facility(mail); 
};
filter f_not_mail {
        not facility(mail); 
};
filter f_ipf {
        facility(local0);
};
filter f_alteon {
        match("10.155.68.2") or match("10.155.68.3");
};
 
filter f_notalteon {
        not match("10.155.68.2") or not match("10.155.68.3");
};
###############################################################
log {
        source(src);
        filter(f_alteon);
        destination(alteon);
};
log {
        source(src);
        filter(f_notalteon);
        destination(notalteon);
};
log {
        source(src);
        filter(f_ipf);
        destination(ipf);
};
 
 
According to this i should log everything that contains 10.155.68.2 or .3 to
/var/log/alteon and if it doesnt contain .2 or .3 to /var/log/notalteon and
it will also send the ip filter logs to its own log (which works). 
 
It seems that f_alteon och f_ipf works. But f_notalteon logs both stuff that
does contain .2 and .3 and stuff that doesnt contain .2 and .3
 
What have i missed?
 
// Kenneth