[syslog-ng] syslog-ng 2.0.x bug - facility(auth) fails to match any messages

Evan Rempel erempel at uvic.ca
Mon Apr 16 19:33:21 CEST 2007 

Balazs Scheidler wrote:
> You usually get better answers if you try to minimize the information
> posted. You have a quite complicated configuration and this makes it
> difficult to reproduce the problem (if there's one involved).

Yes, thank you. I tried to get the problem as simple as I could. Our actual
configuration is a LOT more complicated.


> I have one tip though, do you recognize that multiple filter clauses in
> a log statement are ANDed and not ORed?

Yes, I do realize this. If I make a single filter of

filter f_single{ facility(local1) and program(^sldapd); };

and use filter rather than using two filters in the log line,
things work as documented.

The problem is with messages that should match the facility of auth not with
the messages that match local1 and ldap.

> 
> This means that:
> 
>> filter f_auth         { facility(auth); };
>> filter f_local1       { facility(local1); };
>> filter f_ldap       { program(^slapd); };
>>
>> # ****** PROBLEM LOG LINE ****
>> log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
> 
> Test.log will only receive a message if the facility is local1 and the 
> program sending the message is slapd. I've googled for this and slapd uses 
> local4 by default:

Yes, in our environment our primary LDAP server logs with the facility of local1.

It is easy to test. Use the attached configuration and try to log with any priority auth.*
and see where the messages get logged. They should be logged in the auth.log but on my system they
are logged into unknown.log

Evan.
-------------- next part --------------
source local { unix-stream("/dev/log" max-connections(200));
               file("/proc/kmsg" log_prefix("kernel: "));
               internal(); };

template standard_file  { template("$ISODATE $FULLHOST $FACILITY.$LEVEL $PRI $MESSAGE\n"); template_escape(no); };

destination auth.log    { file("/var/syslog/auth.log.$YEAR$MONTH$DAY.000000"    perm(0640) template(standard_file) ); };
destination unknown.log { file("/var/syslog/unknown.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); };
destination test.log    { file("/var/syslog/test.log.$YEAR$MONTH$DAY.000000"  perm(0640) template(standard_file) ); };


filter f_auth         { facility(auth); };
filter f_local1       { facility(local1); };
filter f_ldap       { program(^slapd); };

# ****** PROBLEM LOG LINE ****
log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); };
# ****** PROBLEM LOG LINE ****

log { source(local); filter(f_auth); destination(auth.log); };

# safegaurd to catch anything missed by other filters
log { source(local); destination(unknown.log); flags(fallback); };

More information about the syslog-ng mailing list