[syslog-ng] 3.03 filtering problem
Tim Boyer
tim at denmantire.com
Mon Dec 14 18:18:20 CET 2009
OK, I assume that this is something stupid I'm doing - but I've started at
the config file for a week, and I'll be darned if I can see it.
I've got a fairly vanilla setup, and I'm trying to send dhcpd, snort, etc to
separate filters, while at the same time keeping one file with all of the
error messages. Like so:
#
# log sources
#
source server {
file("/proc/kmsg");
unix-stream("/dev/log");
internal();
};
destination dserver_all {
file("/var/log/${HOST}.log" owner(root) group(hobbit) perm(0640));
};
destination dserver_cfengine { file("/var/log/cfengine.log"); };
destination dserver_snort { file("/var/log/snort.log"); };
destination dserver_dhcpd { file("/var/log/dhcpd.log"); };
...
filter fserver_snort { program("snort"); };
filter fserver_dhcpd { program("dhcpd"); };
filter fserver_cfengine { program("cfengine"); };
...
log { source(server); destination(dserver_all); };
log { source(server); filter(fserver_snort); destination(dserver_snort);
flags(final); };
log { source(server); filter(fserver_cfengine);
destination(dserver_cfengine); flags(final); };
log { source(server); filter(fserver_dhcpd); destination(dserver_dhcpd);
flags(final); };
The 'log everything' is working fine. Some of the filtered logs are working
fine, like the cfengine log:
[root at saratoga log]# ls -la /var/log/cfengine.log
-rw------- 1 root root 181006 Dec 14 11:15 /var/log/cfengine.log
The dhcpd log is empty:
[root at saratoga log]# ls -la /var/log/dhcpd.log
-rw------- 1 root root 0 Dec 13 02:42 /var/log/dhcpd.log
even though there are entries in the combined log that clearly should have
hit the dhcpd log:
[root at saratoga log]# tail /var/log/saratoga.log
Dec 14 11:25:07 saratoga dhcpd: Copyright 2004-2006 Internet Systems
Consortium.
Dec 14 11:25:07 saratoga dhcpd: All rights reserved.
Dec 14 11:25:07 saratoga dhcpd: For info, please visit
http://www.isc.org/sw/dhcp/
Dec 14 11:25:07 saratoga dhcpd: Wrote 22 leases to leases file.
Dec 14 11:25:07 saratoga dhcpd: Listening on
LPF/eth3/00:0e:0c:6d:64:cf/192.168.3/24
What in the world am I missing?
Thanks much,
-- tim --
--
Tim Boyer
Denman Tire Corporation
More information about the syslog-ng
mailing list