[syslog-ng] Question regarding filters
Brian Loe
knobdy at gmail.com
Tue Oct 3 23:06:38 CEST 2006
On 10/3/06, Ian Meyer <ianmmeyer at gmail.com> wrote:
> I don't want to assume anything about how the program deals with
> messages, so my question is how do messages that match or do not match
> a filter cascade down?
>
> For instance if I have a filter: filter f_test { program('test'); };
> and a destination that specific filter, under what conditions would
> it NOT make it to said destination?
Here's what this noob knows (or thinks he knows):
They (the filters) work in the order that they appear.
A message continues past a log rule unless it MATCHES a log rule with
a stop flag configured in it.
If there is a catchall file (like messages) all messages will wind up
there even if they matched a previous log rule UNLESS that log rule
had a stop flag configured.
In my case I want a copy of a message sent to a pipe and its own file,
and I only want messages from things I didn't know about or hadn't
seen before or aren't being monitored that directly to wind up in the
catchall file (netmessages in my case). So, if a PIX send me a message
the first log rule it hits sends it to a named pipe, then it hits a
second log rule that places it in the firewall file and, because that
log rule has the stop flag configured, it ends there.
More information about the syslog-ng
mailing list