[syslog-ng] syslog-ng 2.0.x bug - facility(auth) fails to match any messages

Sat Apr 14 07:11:53 CEST 2007

I posted the message below a couple of weeks ago and did not get a response
from anyone.

Can anyone else confirm that this configuration fails to match the facility(auth) fails
to match messages with a facility of auth?

Balazs - can you make a comment on why this happens?

Evan.

-------- Original Message --------
Date: Wed, 28 Mar 2007 13:19:27 -0700
From: Evan Rempel <erempel at uvic.ca>
Subject: 2.0.x bug - filter(auth) fails to match

With the following configuration

source local { unix-stream("/dev/log" max-connections(200));
                file("/proc/kmsg" log_prefix("kernel: "));
                internal(); };

template standard_file  { template("$ISODATE $FULLHOST $FACILITY.$LEVEL $PRI $MESSAGE\n"); template_escape(no); };

destination auth.log    { file("/var/syslog/auth.log.$YEAR$MONTH$DAY.000000"    perm(0640) template(standard_file) ); };
destination unknown.log { file("/var/syslog/unknown.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
destination test.log    { file("/var/syslog/test.log.$YEAR$MONTH$DAY.000000"  perm(0640) template(standard_file) ); };

filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(^slapd); };

# ****** PROBLEM LOG LINE ****
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ****** PROBLEM LOG LINE ****

log { source(local); filter(f_auth); destination(auth.log); };

# safegaurd to catch anything missed by other filters
log { source(local); destination(unknown.log); flags(fallback); };

all of the log messages with the facility of auth go into the unknown.log file.

If I remove the problematic log line (to test.log) or change the order of its filters
or change the first filter to be other than f_local1 (even changing the f_local1 filter to match a different
facility) then everything works as expected.

All of these work fine

# ------------- use other than filter f_local1
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(slapd); };
log { source(local); filter(f_auth); filter(f_ldap); destination(test.log); };

# ------------  comment out the log line
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(slapd); };
# log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };

# ------------------ match facility local0 in the f_local1 filter
filter f_auth         { facility(auth); };
filter f_local1       { facility(local0); };
filter f_ldap       { program(^slapd); };
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };

# ----------------- make a more complex single filter rather than multiple filter item in the log line
filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(^slapd); };
filter f_test       { facility(local1) and program(^sldapd); };
log { source(local); filter(f_test); destination(test.log); };

So, how is the first example going wrong?

Evan.