[syslog-ng]Re: [syslog-ng]what?s wrong?

Jesse Molina syslog-ng@lists.balabit.hu
Fri, 18 Feb 2005 15:02:20 -0700 

Yes, that's the right idea.

For example, I have something like...



destination samba_log_smbd { file("/var/log/samba/smbd.log"); };
destination samba_log_nmbd { file("/var/log/samba/nmbd.log"); };
destination messages { file("/var/log/messages/messages"); };

filter f_samba_smbd { program("smbd.*"); };
filter f_samba_nmbd { program("nmbd.*"); };
filter f_messages { level(info .. warn) and not facility(auth, authpriv,
cron, daemon, mail, news) and not filter(f_iptableslog, f_samba_smbd,
samba_log_nmbd); };



On Fri, Feb 18, 2005 at 11:05:59PM +0200, Denis Kot wrote:
> so I must create a filter something like
> filter f_filer  { not filter(f_smbd); }; and this filter put to log?
> 
> 
> On Fri, 18 Feb 2005 11:11:49 -0500, Mike Pepe <lamune@doki-doki.net> wrote:
> > Denis,
> > 
> > I'm no expert at this yet, but I think the problem is that the regular
> > syslog rule matches and it's writing the result to more than one place.
> > This is entirely possible.
> > 
> > As an example, here's what I did to stop that in my rule that logs
> > iptables hits to a different file on linux:
> > 
> > destination d_iptables   { file("/var/log/iptables"); };
> > destination d_mesg { file("/var/log/messages"); };
> > 
> > filter f_iptables  { match("Inbound"); };
> > filter f_filter2   { level(info..emerg) and
> >                       not facility(mail,authpriv,cron) and
> >                       not match("Inbound"); };
> > 
> > log { source(s_sys); filter(f_iptables); destination(d_iptables); };
> > log { source(s_sys); filter(f_filter2); destination(d_mesg); };
> > 
> > Note the not match that excludes the Inbound events from going to syslog.
> > 
> > There may be a better way to do this, but it works for me so far.
> > 
> > -Mike
> > 
> > Denis Kot wrote:
> > > Hello to All
> > >
> > > I want to messages from smbd and nmbd to redirect to another logfile
> > > I have:
> > >
> > > source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
> > >
> > > destination messages { file("/var/log/messages"); };
> > > destination d_smbd { file("/var/log/smbd"); };
> > >
> > > filter f_smbd { program(smbd.*) or match(smbd); };
> > > filter f_nmbd { program(nmbd.*) or match(nmbd); };
> > >
> > > log { source(src); filter(f_smbd); destination(d_smbd); };
> > > log { source(src); filter(f_nmbd); destination(d_smbd); };
> > > log { source(src); destination(messages); };
> > >
> > > but messages like:
> > > Feb 18 15:02:57 gate smbd[1089]: [2005/02/18 15:02:57, 0]
> > > lib/util_sock.c:get_peer_addr(1000)
> > > Feb 18 15:02:57 gate smbd[1089]:   getpeername failed. Error was
> > > Transport endpoint is not connected
> > > or
> > > Feb 18 15:04:14 gate nmbd[15845]: [2005/02/18 15:04:14, 0]
> > > nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(693)
> > > Feb 18 15:04:14 gate nmbd[15845]:   process_get_backup_list_request:
> > > domain list requested for workgroup MASSNET and I am not a local
> > > master browser.
> > >
> > > still going to /var/log/messages...
> > > what?s wrong?
> > >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> > 
> > 
> 
> 
> -- 
> Denis Kot
> denis?jabber.org.by
> ICQ: 13680126
> Mobil: +375 29 6-1234-78
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 

-- 
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.407.970.0280
# Web  = http://www.opendreams.net/jesse/