[syslog-ng] Ver 1.9.5 problems with facility/level filtering
Peter Nahas
pnahas at mrv.com
Fri Sep 30 22:26:51 CEST 2005
I too have experienced this problem and decided to investigate the
source code. Unless I'm missing something, it appears that 1.9.5 simply
does not set the correct variable internally, regardless of
configuration. The following patch solved the problem for me:
--- /home/pnahas/syslog-ng-1.9.5/src/filter.c 2005-01-05
06:40:50.000000000 -0500
+++ filter.c 2005-09-30 16:23:29.000000000 -0400
@@ -162,6 +162,7 @@
{
FilterPri *self = g_new0(FilterPri, 1);
+ self->valid = facilities;
self->super.eval = filter_facility_eval;
return &self->super;
}
@@ -180,6 +181,7 @@
{
FilterPri *self = g_new0(FilterPri, 1);
+ self->valid = levels;
self->super.eval = filter_level_eval;
return &self->super;
}
Hope that helps!
-Peter Nahas
Marvin.Nipper at Stream.com wrote:
> >>On Mon, Sep 26, 2005 at 12:30:23PM -0600, Marvin.Nipper at Stream.com
>wrote:
>
>
>>>So. I'm looking for any input as to what might be a potential root
>>>problem. Obviously, there are a whole set of different pre-req
>>>
>>>
>components
>
>
>>>for the 1.9.5 world. I'm not sure if I'm dealing with some
>>>
>>>
>compatibility
>
>
>>>problem amongst the component versions that I've selected(?), or if the
>>>problem lies elsewhere.
>>>
>>>
>>There's no obvious cause going by your description, but maybe if we saw
>>your config we'd notice something. Please post your complete config
>>file, if you don't mind.
>>
>>Thanks.
>>--
>>Nate
>>
>>
>
>Here's my current configuration:
>options { dir_perm(0755); perm(0600); chain_hostnames(no);
> keep_hostname(yes); log_fifo_size(1000); };
>
>
># Catch everything coming from other sysloggers
>source any_udp { udp(); };
>
>
># Pipe used by SEC (Simple Event Correlation)
>destination SEC {pipe("/tmp/sec"); };
>
>
># Various segregated logging files
>destination routers_log {
> file("/var/adm/log/routers.log" create_dirs(yes));
>};
>
>destination ravlin_log {
> file("/var/adm/log/ravlin.log" create_dirs(yes));
>};
>
>destination windows_log {
> file("/var/adm/log/windows.log" create_dirs(yes));
>};
>
>destination catch-all_log {
> file("/var/adm/log/catch-all.log" create_dirs(yes));
>};
>
>destination test {
> file("/var/adm/log/test.log" create_dirs(yes));
>};
>
>
># Some place to dump noise
>destination dev_null { file("/dev/null" ); };
>
>
>
>
>######## Logging commands #############
>
># Send a copy of everything to SEC
>#log { source(any_udp); destination(SEC); };
>
># syslog.info /var/adm/log/windows.log
>filter f_4 { facility(syslog) and level(info..emerg); };
>log { source(any_udp); filter(f_4); destination(windows_log);
>flags(final); };
>
># local5.debug /var/adm/log/routers.log
>filter f_1 { facility(local5) and level(debug..emerg); };
>log { source(any_udp); filter(f_1); destination(routers_log);
>flags(final); };
>
># Kill SonicWall Noise first
>filter SonicWallNoise {
> match("id=firewall") and filter(SonicWallMsgs);
>};
>filter SonicWallMsgs {
> match("m=97") or match("m=98") or match("m=537");
>};
>log { source(any_udp); filter(SonicWallNoise); destination(dev_null);
>flags(fina
>l); };
>
># local0.debug /var/adm/log/ravlin.log
>filter f_3 { facility(local0) and level(debug..emerg); };
>log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final);
>};
>
># (catch all) /var/adm/log/catch-all.log
>log { source(any_udp); destination(catch-all_log); flags(final); };
>
>
>Again, this configuration works just fine with my 1.6.8 compilation.
>Output is properly distributed to all of the listed files. With my 1.9.5
>compilation, the final (unfiltered) file gets everything. In short, I
>know that the inbound syslog packets are fine (i.e. that they have the
>correct facility/level information), or 1.6.8 would be broken as well.
>
>THANKS for any and all help!
>
>Marvin
>_______________________________________________
>syslog-ng maillist - syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
More information about the syslog-ng
mailing list