[syslog-ng] Problems with syslog-ng and filters-

Roberto Nibali ratz at drugphish.ch
Tue Jul 12 11:40:07 CEST 2005 

Hello,

> I have created 2 filters. There is check if there is link up/down text
> in msg field.

Ok.

> If its match then there comes N else there should be comes N.
                                ^^^
I guess you mean 'Y' here, right?

> My problem is now that i syslog-ng puts double in sql-table one is Y
> and one is N. Any suggestion what is wrong? Here comes also
> configuration.

It looks like you have two problems: a boolean algebra one and a 
syslog-ng configuration one ;). I really hope I'm awake enough and 
didn't miss something ...

> source net { udp(ip("0.0.0.0") port(514)); };
> 
> filter f_link_downup { match(LINK-3-UPDOWN) or match(LINEPROTO-5-UPDOWN) or match(off-line) or match(on-line); };
> filter f_others { not match(LINK-3-UPDOWN) or not match(LINEPROTO-5-UPDOWN) or not match(off-line) or not match(on-line); };

Assert:
    A := LINK-3-UPDOWN
    B := LINEPROTO-5-UPDOWN
    C := off-line
    D := on-line

Then your filters look as follows:

    f_link_downup = A + B + C + D
    f_others      = !A + !B + !C + !D

One would assume that since you have one bit ('Y' and 'N') as the 
outcome, that you'd want 'f_others' to be '!f_link_downup'. So this guy 
de Morgan once brought up following nitpick:

   !f_link_downup == !A * !B * !C * !D

which is what you want for 'f_others'

Thus your filter statements should rather be (unless I didn't understand 
your wishes):

filter f_link_downup {
   match(LINK-3-UPDOWN) or match(LINEPROTO-5-UPDOWN) or match(off-line) 
or match(on-line);
};

filter f_others {
   not match(LINK-3-UPDOWN) and not match(LINEPROTO-5-UPDOWN) and not 
match(off-line) and not match(on-line);
};

You might want to put '"' for the strings but it's not neccessary in 
your case.

> log { source(net); filter(f_link_downup); destination(d_mysql_downup); };
> log { source(net); filter(f_others); destination(d_mysql_others); };

To speed up your logging you could add a flags(final); statement into 
your log statements.

> destination d_mysql_downup {
>  pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg, showdata)
>  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG', 'N' );\n")
>  template-escape(yes));
> };
> 
> destination d_mysql_others {
>  pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg, showdata)
>  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG', 'Y' );\n")
>  template-escape(yes));
> };

HTH and best regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

More information about the syslog-ng mailing list