[syslog-ng] Ver 1.9.5 problems with facility/level filtering

Marvin.Nipper at Stream.com Marvin.Nipper at Stream.com
Fri Sep 30 16:00:33 CEST 2005


 >>On Mon, Sep 26, 2005 at 12:30:23PM -0600, Marvin.Nipper at Stream.com
wrote:
>> 
>> So. I'm looking for any input as to what might be a potential root
>> problem.  Obviously, there are a whole set of different pre-req
components
>> for the 1.9.5 world.  I'm not sure if I'm dealing with some
compatibility
>> problem amongst the component versions that I've selected(?), or if the
>> problem lies elsewhere.
>
>There's no obvious cause going by your description, but maybe if we saw
>your config we'd notice something. Please post your complete config
>file, if you don't mind.
>
>Thanks.
>-- 
>Nate

Here's my current configuration:
options { dir_perm(0755); perm(0600); chain_hostnames(no);
          keep_hostname(yes); log_fifo_size(1000); };


# Catch everything coming from other sysloggers
source any_udp { udp(); };


# Pipe used by SEC (Simple Event Correlation)
destination SEC {pipe("/tmp/sec"); };


# Various segregated logging files
destination routers_log {
        file("/var/adm/log/routers.log" create_dirs(yes));
};

destination ravlin_log {
        file("/var/adm/log/ravlin.log" create_dirs(yes));
};

destination windows_log {
        file("/var/adm/log/windows.log" create_dirs(yes));
};

destination catch-all_log {
        file("/var/adm/log/catch-all.log" create_dirs(yes));
};

destination test {
        file("/var/adm/log/test.log" create_dirs(yes));
};


# Some place to dump noise
destination dev_null { file("/dev/null" ); };




######## Logging commands #############

# Send a copy of everything to SEC
#log { source(any_udp); destination(SEC); };

# syslog.info                           /var/adm/log/windows.log
filter f_4 { facility(syslog) and level(info..emerg); };
log { source(any_udp); filter(f_4); destination(windows_log);
flags(final); };

# local5.debug                          /var/adm/log/routers.log
filter f_1 { facility(local5) and level(debug..emerg); };
log { source(any_udp); filter(f_1); destination(routers_log);
flags(final); };

# Kill SonicWall Noise first
filter SonicWallNoise {
        match("id=firewall") and filter(SonicWallMsgs);
};
filter SonicWallMsgs {
        match("m=97") or match("m=98") or match("m=537");
};
log { source(any_udp); filter(SonicWallNoise); destination(dev_null);
flags(fina
l); };

# local0.debug                          /var/adm/log/ravlin.log
filter f_3 { facility(local0) and level(debug..emerg); };
log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final);
};

# (catch all)                           /var/adm/log/catch-all.log
log { source(any_udp); destination(catch-all_log); flags(final); };


Again, this configuration works just fine with my 1.6.8 compilation.
Output is properly distributed to all of the listed files.  With my 1.9.5
compilation, the final (unfiltered) file gets everything.  In short, I
know that the inbound syslog packets are fine (i.e. that they have the
correct facility/level information), or 1.6.8 would be broken as well.

THANKS for any and all help!

Marvin


More information about the syslog-ng mailing list