[syslog-ng] Revisiting: problem with filter behavior in 2.0.4
aero1967 at fastmail.fm
aero1967 at fastmail.fm
Wed Aug 22 19:29:41 CEST 2007
Hello.
I posted the below message on 13 July to the list, but still received no
response. I'm wondering if I'm seeing a bug in syslog-ng, or there's
some configuration detail I've overlooked. Balazs, could you comment on
this please?
Since I posted the original message, I'm seeing all kinds of messages in
the "critical.log" file that shouldn't belong, according to my
understanding of the filtering, e.g. messages from facility+priority
combination "user.info" without the string "crit" anywhere within the
message (though oddly enough in that example, the word "subscription" is
present in the message, which differs from "crit" by the addition of the
"p" before the "t", but I'm not sure if that's anything more than
coincidence).
Anyway, I'd appreciate it if someone could help me look into this.
--
aero1967 at fastmail.fm
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
----- Original message -----
I'm seeing some results with filtering that I don't expect / understand.
I have the following statements in syslog-ng.conf (I am just giving the
relevant configuration lines):
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
filter kern { facility(kern); };
filter kern_critical { filter(kern) and priority(emerg .. err); };
filter critical { filter(kern_critical) or match("crit*") or
priority(emerg .. crit); };
template verbose_msg_fmt { template("$FULLDATE $FACILITY.$PRIORITY
$MSG\n"); template_escape(no); };
destination root_tty { usertty("root"); };
destination critical_logfile { file("/var/log/critical.log"
template(verbose_msg_fmt)); };
log { source(src); filter(critical); destination(root_tty);
destination(critical_logfile); };
There are no other configuration lines which reference the
critical_logfile destination , and no destination has a "final" flag.
Now, when I check /var/log/critical.log, I get messages from the
facility.priority combination of daemon.warning that do not contain any
string starting with "crit". I also get messages from daemon.err, which
also shouldn't match the filter.
For example:
2007 Jul 12 10:51:07 daemon.warning <message, not containing the string
crit anywhere>
2007 Jul 11 20:33:57 daemon.err <message, not containing the string crit
anywhere>
IIRC, I was using these same lines in a syslog-ng 1.6.x installation
without these kinds of results.
More information about the syslog-ng
mailing list