[syslog-ng]Newbie Filter question (Solaris)
Kenneth Gullberg
syslog-ng@lists.balabit.hu
Thu, 29 Jul 2004 12:45:13 +0200
This is a multi-part message in MIME format.
------_=_NextPart_001_01C47559.2161FD8D
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Hi,
=20
Im new to syslogng and want to replace the normal syslogd in solaris
with -ng because of the filters.=20
=20
I run postfix on 2 loadbalanced machines and i want to get rid of the
healthchecks log entries.
=20
I setup a conf file that looks like this:
=20
options {=20
long_hostnames(off);=20
=20
# doesn't actually help on Solaris, log(3) truncates at 1024
chars
log_msg_size(8192);
=20
# buffer just a little for performance
sync(1);=20
=20
# memory is cheap, buffer messages unable to write (like to
loghost)
log_fifo_size(2048);=20
=20
# The time to wait before a dead connection is reestablished
(seconds)
time_reopen(10);
};
###############################################################
source src {=20
sun-stream("/dev/log" door("/etc/.syslog_door"));
internal();=20
};
###############################################################
destination alteon {=20
file("/var/log/alteon");=20
};
destination notalteon {=20
file("/var/log/notalteon");=20
};
destination ipf {
file("/var/log/ipf.log");
};
###############################################################
filter f_mail {=20
facility(mail);=20
};
filter f_not_mail {
not facility(mail);=20
};
filter f_ipf {
facility(local0);
};
filter f_alteon {
match("10.155.68.2") or match("10.155.68.3");
};
=20
filter f_notalteon {
not match("10.155.68.2") or not match("10.155.68.3");
};
###############################################################
log {
source(src);
filter(f_alteon);
destination(alteon);
};
log {
source(src);
filter(f_notalteon);
destination(notalteon);
};
log {
source(src);
filter(f_ipf);
destination(ipf);
};
=20
=20
According to this i should log everything that contains 10.155.68.2 or
.3 to /var/log/alteon and if it doesnt contain .2 or .3 to
/var/log/notalteon and it will also send the ip filter logs to its own
log (which works).=20
=20
It seems that f_alteon och f_ipf works. But f_notalteon logs both stuff
that does contain .2 and .3 and stuff that doesnt contain .2 and .3
=20
What have i missed?
=20
// Kenneth
------_=_NextPart_001_01C47559.2161FD8D
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2>Hi,</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>Im new =
to syslogng=20
and want to replace the normal syslogd in solaris with -ng because of =
the=20
filters. </FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>I run =
postfix on 2=20
loadbalanced machines and i want to get rid of the healthchecks log=20
entries.</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>I =
setup a conf file=20
that looks like this:</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial =
size=3D2>options {=20
<BR> long_hostnames(off);=20
</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2> # doesn't actually =
help on=20
Solaris, log(3) truncates at 1024=20
chars<BR> =20
log_msg_size(8192);</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2> # buffer just a =
little for=20
performance<BR> sync(1);=20
</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2> # memory is cheap, =
buffer=20
messages unable to write (like to=20
loghost)<BR> =
log_fifo_size(2048);=20
</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2> # The time to wait =
before a=20
dead connection is reestablished=20
(seconds)<BR> =20
time_reopen(10);<BR>};<BR>###############################################=
################<BR>source=20
src { <BR> =
sun-stream("/dev/log"=20
door("/etc/.syslog_door"));<BR> =
=20
internal();=20
<BR>};<BR>###############################################################=
<BR>destination=20
alteon { <BR> =
file("/var/log/alteon");=20
<BR>};<BR>destination notalteon { =
<BR> =20
file("/var/log/notalteon"); <BR>};<BR>destination ipf=20
{<BR> =20
file("/var/log/ipf.log");<BR>};<BR>######################################=
#########################<BR>filter=20
f_mail { <BR> facility(mail);=20
<BR>};<BR>filter f_not_mail =
{<BR> not=20
facility(mail); <BR>};<BR>filter f_ipf=20
{<BR> =20
facility(local0);<BR>};<BR>filter f_alteon=20
{<BR> match("10.155.68.2") or=20
match("10.155.68.3");<BR>};</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>filter =
f_notalteon=20
{<BR> not match("10.155.68.2") =
or not=20
match("10.155.68.3");<BR>};<BR>##########################################=
#####################<BR>log=20
{<BR> =20
source(src);<BR> =20
filter(f_alteon);<BR> =20
destination(alteon);<BR>};<BR>log=20
{<BR> =20
source(src);<BR> =20
filter(f_notalteon);<BR> =20
destination(notalteon);<BR>};<BR>log=20
{<BR> =20
source(src);<BR> =20
filter(f_ipf);<BR> =20
destination(ipf);<BR>};</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial =
size=3D2>According to this i=20
should log everything that contains 10.155.68.2 or .3 to /var/log/alteon =
and if=20
it doesnt contain .2 or .3 to /var/log/notalteon and it will also send =
the ip=20
filter logs to its own log (which works). </FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>It =
seems that=20
f_alteon och f_ipf works. But f_notalteon logs both stuff that does =
contain .2=20
and .3 and stuff that doesnt contain .2 and .3</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>What =
have i=20
missed?</FONT></SPAN></DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D607393310-29072004><FONT face=3DArial size=3D2>//=20
Kenneth</FONT></SPAN></DIV></BODY></HTML>
------_=_NextPart_001_01C47559.2161FD8D--