[syslog-ng]Logging to syslog without facility mail
Loic Minier
syslog-ng@lists.balabit.hu
Tue, 31 Aug 2004 18:45:49 +0200
Laurent CARON <lcaron@apartia.fr> - Tue, Aug 31, 2004:
> filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
This requests to keep only messages which aren't of facility auth or
authpriv and which aren't of facility mail.
A filter says which messages to keep. Matching messages are kept, the
others are removed.
> filter f_syslog { not facility(auth, authpriv) or facility(mail) and
> level(warn .. emerg); };
This is ambiguous, because of the priority of and over or, I think it
means to keep messages which aren't from facility auth or authpriv and
also keep message from facility mail with a level at least of warning.
You should write it:
filter f_syslog { not facility(auth, authpriv) or (facility(mail) and
level(warn .. emerg)); };
> I'm trying to exclude certain messages from my syslog (facility mail
> which are inferior to warning)
I would write two filters to do this:
filter f_mail { facility(mail); };
filter f_less_than_warn { level(debug..notice); };
and your filter would look like:
filter exclude_what_i_don_t_want {
not(
filter(f_mail) and filter(f_less_than_warn)
); };
Now if you've done some boolean logic, you probably know you can
develop the not() like this:
filter exclude_what_i_don_t_want {
not(filter(f_mail))
or not(filter(f_less_than_warn)); };
(sorry for missing ";" if they are some)
And you could decide that this is even clearer (with the appropriate
f_at_least_warn):
filter exclude_what_i_don_t_want {
not(filter(f_mail))
or filter(f_at_least_warn); };
Which basically means 'keep messages not coming from mail and also keep
messages which are from level warn or above'.
Regards,
--
Loïc Minier <lool@dooz.org>