[syslog-ng] filtering local facilities
Bruce Pennypacker
bruce.pennypacker at gmail.com
Fri Apr 21 21:00:30 CEST 2006
Hi all,
I'm just starting to work with syslog-ng. We're setting up a loghost that
will be collecting logs from a number of applicatoin servers, and I want to
split them up based on whether they're application logs or system logs. The
application is logging to local syslogs using the facility local5, but I'm
having trouble filtering on that in syslog-ng. I couldn't find any
documentation that indicates this can't be done so I'm wondering what I
might be doing wrong. Here's the relevant part of my syslog-ng.conf file:
source s_udp {
udp( ip(0.0.0.0) port(514) );
};
destination d_application { file("/var/log/application.log"); };
destination d_syslog { file("/var/log/syslog"); };
filter f_my_servers { host(h-001) or host(h-002) or host(h-003); };
filter f_test1 { facility(local5) and filter(f_my_servers); };
filter f_test2 { filter(f_my_servers); };
log { source(s_udp); filter(f_test1); destination(d_application);
flags(final); };
log { source(s_udp); filter(f_test2); destination(d_syslog); flags(final);
};
With the above configuration anything that comes in from one of the hosts as
local5.* should get written to /var/log/application.log and everything else
from those hosts should get written to /var/log/syslog, right? But if I log
into one of these hosts and perform a test:
[root at h-001 ~]# logger -t local5.info test
The test message always ends up getting logged in /var/log/syslog. Does
syslog-ng allow remote filtering based on the local5 facility, or am I doing
something wrong here?
-Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060421/0bfae906/attachment.htm
More information about the syslog-ng
mailing list