[syslog-ng]can't figure out how to convert syslog.conf entry to syslog-ng

Philip J. Hollenback syslog-ng@lists.balabit.hu
Tue, 28 Dec 2004 10:36:00 -0500


Thanks for the pointers!  I was able to code this entry up as follows:

filter f_mesg {
     level(info..emerg)
     and not facility(authpriv,local0)
     and not (facility(mail) and level(debug..notice))
     and not (facility(auth,cron) and level(debug..notice));
};


and that works great.

Thanks,
P.

On 12/27/04, Balazs Scheidler wrote:
> On Mon, 2004-12-27 at 09:02 -0500, Philip J. Hollenback wrote:
> > I have the following syslog.conf entry on my linux server:
> > 
> > *.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none                /var/log/messages
> > 
> > The syslog2ng script converts it to this:
> > 
> > destination d_mesg { file("/var/log/messages"); };
> > 
> > filter f_1 { level(info..emerg); };
> > filter f_2 { not facility(mail); };
> > filter f_3 { facility(mail) and level(err..emerg); };
> > filter f_4 { not facility(authpriv); };
> > filter f_5 { not facility(auth); };
> > filter f_6 { facility(auth) and level(warning..emerg); };
> > filter f_7 { not facility(cron); };
> > filter f_8 { facility(cron) and level(warning..emerg); };
> > filter f_9 { not facility(local0); };
> > 
> > log {
> >   source(local);
> >   filter(f_1); filter(f_2); filter(f_3); filter(f_4);
> >   filter(f_5); filter(f_6); filter(f_7); filter(f_8);
> >   filter(f_9);
> >   destination(d_mesg);
> > };
> > 
> > 
> > Problem: this doesn't work; the above syslog-ng.conf entry doesn't
> > send any messages to /var/log/messages.  I know syslog-ng is working
> > because other entries in the config file do catch messages as they
> > should.
> > 
> > I've narrowed it down to something with the compound filter
> > statements.  If I remove f_3, f_6, and f_8, the entry starts working.
> 
> Note that syslog-ng ANDs the filter expressions listed in your log
> statement. E.g. while syslogd ORs them syslog-ng ANDs them.
> 
> in f_3 you require facility(mail) while in f_2 you explicitly disallow
> it via not.
> 
> Maybe you should construct a single filter expression ORing the
> conditions in the original syslog.conf entry.
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

-- 
Philip J. Hollenback
Telemetry Investments
phollenback@telemetry-investments.com