[syslog-ng] Re: syslog-ng Digest, Vol 19, Issue 1

[G.W. Haywood]

Hi there,

On Wed, 1 Nov 2006 Nick Baronian wrote:

>    2.  logs written twice (Nick Baronian)

> I setup a syslog-ng server to get logs from various boxes and devices.
> I think I am a little confused about the correct way to set this up.
> I am seeing a lot of logs getting written twice.

> Is there a way I can duplicate the name schema the remote box is using

I don't know exactly what you mean by that, and I do't think I'd know
the answer if I did. :)

> [snip]
> filter pump_renewal { not program("pumpd")  or not level(info,debug); };
> filter imap_debug   { not program("imapd")  or not level(info,debug); };
> filter ipop3_debug  { not program("ipop3d") or not level(info,debug); };
> filter sshd_debug   { not program("sshd")   or not level(debug);      };
> filter f_attack_alert { match("attackalert");  };
> filter f_ssh_login_attempt {
>         program("sshd.*")
>         and match("(Failed|Accepted)")
>         and not match("Accepted (hostbased|publickey) for
> (root|zoneaxfr) from (10.4.3.1)"); };
> [snip]

If I understand what you're trying to so, I don't think you're
approaching this the right way at all.

Think of a filter as being like a sieve.  You keep what's filtered
because you want it, you don't throw it away by 'filter'ing it out.
Your filter 'sshd_debug' isn't being referenced at all, so it won't
give you any output.

If I wanted to see ssh debug messages (assuming that the ssh daemon
was logging anything at the DEBUG level) then the filter I would use
would be something like

filter f_sshd_debug { program("sshd") and level(debug); };
log { source(src); filter(f_sshd_debug); destination(whatever); };

The problem with using 'or' is that
not program("sshd") or not level(debug)
will give you stuff that ISN'T sshd if it also ISN'T debug.

Check out deMorgan's theorem on the Web.

If I've got the wrong end of the stick here, a flame to my personal
email address is in order but one to the list isn't. :)

--

73,
Ged.