[syslog-ng] syslog-ng 2.0.x bug - facility(auth) fails to match any
messages
Evan Rempel
erempel at uvic.ca
Sat Apr 14 07:11:53 CEST 2007
I posted the message below a couple of weeks ago and did not get a response
from anyone.
Can anyone else confirm that this configuration fails to match the facility(auth) fails
to match messages with a facility of auth?
Balazs - can you make a comment on why this happens?
Evan.
-------- Original Message --------
Date: Wed, 28 Mar 2007 13:19:27 -0700
From: Evan Rempel <erempel at uvic.ca>
Subject: 2.0.x bug - filter(auth) fails to match
With the following configuration
source local { unix-stream("/dev/log" max-connections(200));
file("/proc/kmsg" log_prefix("kernel: "));
internal(); };
template standard_file { template("$ISODATE $FULLHOST $FACILITY.$LEVEL $PRI $MESSAGE\n"); template_escape(no); };
destination auth.log { file("/var/syslog/auth.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
destination unknown.log { file("/var/syslog/unknown.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
destination test.log { file("/var/syslog/test.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
filter f_auth { facility(auth); };
filter f_local1 { facility(local1); };
filter f_ldap { program(^slapd); };
# ****** PROBLEM LOG LINE ****
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ****** PROBLEM LOG LINE ****
log { source(local); filter(f_auth); destination(auth.log); };
# safegaurd to catch anything missed by other filters
log { source(local); destination(unknown.log); flags(fallback); };
all of the log messages with the facility of auth go into the unknown.log file.
If I remove the problematic log line (to test.log) or change the order of its filters
or change the first filter to be other than f_local1 (even changing the f_local1 filter to match a different
facility) then everything works as expected.
All of these work fine
# ------------- use other than filter f_local1
filter f_auth { facility(auth); };
filter f_local1 { facility(local1); };
filter f_ldap { program(slapd); };
log { source(local); filter(f_auth); filter(f_ldap); destination(test.log); };
# ------------ comment out the log line
filter f_auth { facility(auth); };
filter f_local1 { facility(local1); };
filter f_ldap { program(slapd); };
# log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ------------------ match facility local0 in the f_local1 filter
filter f_auth { facility(auth); };
filter f_local1 { facility(local0); };
filter f_ldap { program(^slapd); };
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ----------------- make a more complex single filter rather than multiple filter item in the log line
filter f_auth { facility(auth); };
filter f_local1 { facility(local1); };
filter f_ldap { program(^slapd); };
filter f_test { facility(local1) and program(^sldapd); };
log { source(local); filter(f_test); destination(test.log); };
So, how is the first example going wrong?
Evan.
More information about the syslog-ng
mailing list