[syslog-ng] Re: filtering local facilities

[Bruce Pennypacker]

My bad.  I just realized I was using -t and not -p on the logger command
line...  It's working.

-Bruce

On 4/21/06, Bruce Pennypacker <bruce.pennypacker at gmail.com> wrote:
>
> Hi all,
>
> I'm just starting to work with syslog-ng.  We're setting up a loghost that
> will be collecting logs from a number of applicatoin servers, and I want to
> split them up based on whether they're application logs or system logs.  The
> application is logging to local syslogs using the facility local5, but I'm
> having trouble filtering on that in syslog-ng.  I couldn't find any
> documentation that indicates this can't be done so I'm wondering what I
> might be doing wrong.  Here's the relevant part of my syslog-ng.conf file:
>
> source s_udp  {
>         udp( ip(0.0.0.0) port(514) );
> };
>
> destination d_application { file("/var/log/application.log"); };
> destination d_syslog { file("/var/log/syslog"); };
>
> filter f_my_servers { host(h-001) or host(h-002) or host(h-003); };
>
> filter f_test1  { facility(local5) and filter(f_my_servers); };
>
> filter f_test2 { filter(f_my_servers); };
>
>
> log { source(s_udp); filter(f_test1); destination(d_application);
> flags(final); };
> log { source(s_udp); filter(f_test2); destination(d_syslog); flags(final);
> };
>
> With the above configuration anything that comes in from one of the hosts
> as local5.* should get written to /var/log/application.log and everything
> else from those hosts should get written to /var/log/syslog, right?  But if
> I log into one of these hosts and perform a test:
>
> [root at h-001 ~]# logger -t local5.info test
>
> The test message always ends up getting logged in /var/log/syslog.  Does
> syslog-ng allow remote filtering based on the local5 facility, or am I doing
> something wrong here?
>
> -Bruce
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060421/7920db10/attachment.html