[syslog-ng] Program Filters
Nate Campi
nate at campin.net
Mon May 16 17:01:34 CEST 2005
On Mon, May 16, 2005 at 03:59:40PM +0600, Metal Gear wrote:
> i m having too much noise in my syslog-ng logs both in mysql db and in text
> logs. For that i tried program filters
> like .
>
> filter f_auth { facility(auth); };
> filter f_ftp {program(ftp);};
> filter f_ssh {program(pam_unix);};
> log {source(stunnel); filter(f_syslog); filter(f_auth); filter(f_ftp);
> filter(f_ssh); destination(d_mysql);};
>
> what actually i want to log messages from program 'vsftp', 'wsftpd' and
> 'sshd' for that i tried regexp like '*ftp*', *ssh*, but its not working can
> someone refine the filters for just logging traffic having program 'ftp' or
> 'ssh' in them.
It's an issue with the way log{} statements read. What yours says is to
log the source "stunnel" if all your filters match, i.e. the messages
has program "ftp" and program "pam_unix" and facility "auth" and
whatever your filter called "f_syslog" does.
Since syslog-ng essentially AND's them, you need to OR them yourself.
You can just do one large filter, something like:
filter kitchensink {
facility(auth) and
( program(ftp) or program(pam_unix) ) ;
};
I think you want facility auth and one of those two programs, so this is
probably what you're looking for.
Hope this helps.
--
Nate
It used to be said [...] that AIX looks like one space alien
discovered Unix, and described it to another different space alien who
then implemented AIX. But their universal translators were broken and
they'd had to gesture a lot.
More information about the syslog-ng
mailing list