[syslog-ng] syslog-ng 2.0.x bug - facility(auth) fails to match any messages

Balazs Scheidler bazsi at balabit.hu
Sun Apr 15 13:06:41 CEST 2007

On Fri, 2007-04-13 at 22:11 -0700, Evan Rempel wrote:
> I posted the message below a couple of weeks ago and did not get a response
> from anyone.
> Can anyone else confirm that this configuration fails to match the facility(auth) fails
> to match messages with a facility of auth?
> Balazs - can you make a comment on why this happens?

You usually get better answers if you try to minimize the information
posted. You have a quite complicated configuration and this makes it
difficult to reproduce the problem (if there's one involved).

I have one tip though, do you recognize that multiple filter clauses in
a log statement are ANDed and not ORed?

This means that:

> filter f_auth         { facility(auth); };
> filter f_local1       { facility(local1); };
> filter f_ldap       { program(^slapd); };
> # ****** PROBLEM LOG LINE ****
> log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };

Test.log will only receive a message if the facility is local1 and the 
program sending the message is slapd. I've googled for this and slapd uses 
local4 by default:

       -l syslog-local-user
              Selects the local user of the  syslog(8)  facility.
              Values  can  be  LOCAL0,  LOCAL1,  and so on, up to
              LOCAL7.  The  default  is  LOCAL4.   However,  this
              option  is  only  permitted on systems that support
              local users with the syslog(8) facility.


More information about the syslog-ng mailing list