[syslog-ng]Re: [syslog-ng]what´s wrong?

Mike Pepe syslog-ng@lists.balabit.hu
Fri, 18 Feb 2005 11:11:49 -0500 

Denis,

I'm no expert at this yet, but I think the problem is that the regular 
syslog rule matches and it's writing the result to more than one place. 
This is entirely possible.

As an example, here's what I did to stop that in my rule that logs 
iptables hits to a different file on linux:

destination d_iptables   { file("/var/log/iptables"); };
destination d_mesg { file("/var/log/messages"); };

filter f_iptables  { match("Inbound"); };
filter f_filter2   { level(info..emerg) and
                      not facility(mail,authpriv,cron) and
                      not match("Inbound"); };

log { source(s_sys); filter(f_iptables); destination(d_iptables); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };

Note the not match that excludes the Inbound events from going to syslog.

There may be a better way to do this, but it works for me so far.

-Mike

Denis Kot wrote:
> Hello to All
> 
> I want to messages from smbd and nmbd to redirect to another logfile
> I have:
> 
> source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
> 
> destination messages { file("/var/log/messages"); };
> destination d_smbd { file("/var/log/smbd"); };
> 
> filter f_smbd { program(smbd.*) or match(smbd); };
> filter f_nmbd { program(nmbd.*) or match(nmbd); };
> 
> log { source(src); filter(f_smbd); destination(d_smbd); };
> log { source(src); filter(f_nmbd); destination(d_smbd); };
> log { source(src); destination(messages); };
> 
> but messages like:
> Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0]
> lib/util_sock.c:get_peer_addr(1000)
> Feb 18 15:02:57 gate smbd[1089]:   getpeername failed. Error was
> Transport endpoint is not connected
> or
> Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0]
> nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693)
> Feb 18 15:04:14 gate nmbd[15845]:   process_get_backup_list_request:
> domain list requested for workgroup MASSNET and I am not a local
> master browser.
> 
> still going to /var/log/messages...
> what´s wrong?
>