[syslog-ng] problem with filter behavior in 2.0.4

aero1967 at fastmail.fm aero1967 at fastmail.fm
Fri Jul 13 13:02:22 CEST 2007


I'm seeing some results with filtering that I don't expect / understand.
 I have the following statements in syslog-ng.conf (I am just giving the
relevant configuration lines):

source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
filter kern { facility(kern); };
filter kern_critical { filter(kern) and priority(emerg .. err); };
filter critical { filter(kern_critical) or match("crit*") or
priority(emerg .. crit); };
template verbose_msg_fmt { template("$FULLDATE $FACILITY.$PRIORITY
$MSG\n"); template_escape(no); };
destination root_tty { usertty("root"); };
destination critical_logfile { file("/var/log/critical.log"
template(verbose_msg_fmt)); };
log { source(src); filter(critical); destination(root_tty);
destination(critical_logfile); };

There are no other configuration lines which reference the
critical_logfile destination , and no destination has a "final" flag.

Now, when I check /var/log/critical.log, I get messages from the
facility.priority combination of daemon.warning that do not contain any
string starting with "crit".  I also get messages from daemon.err, which
also shouldn't match the filter.

For example:

2007 Jul 12 10:51:07 daemon.warning <message, not containing the string
crit anywhere>
2007 Jul 11 20:33:57 daemon.err <message, not containing the string crit
anywhere>

IIRC, I was using these same lines in a syslog-ng 1.6.x installation
without these kinds of results.

Also, a question: does it matter if the priority range is given in
ascending or descending order (syslog's numerical code-wise)?

Thanks for any insight.
-- 
  
  aero1967 at fastmail.fm

-- 
http://www.fastmail.fm - IMAP accessible web-mail



More information about the syslog-ng mailing list