[syslog-ng] [Fwd: Re: iptables logging in a separate logfile works not properly]
Ralf Heidenreich
ralf at lx-work.de
Fri Jun 5 13:25:06 CEST 2009
Hello,
if I use the final flag, postfix loggs to /var/log/messages, not to
/var/log/maillog.
What I am doing wrong?
regards ralf
Here my config:
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
destination iptables { file("/var/log/firewall.log"); };
filter iptables { match("INPUT:"); };
log { source(s_sys); filter(iptables);
destination(iptables);flags(final); };
#log { source(s_sys); filter(iptables); destination(iptables); };
filter noiptables { not match("INPUT:"); };
log { source(s_sys); filter(noiptables); destination(d_kern); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/messages"); };
destination d_mlal { usertty("*"); };
# direct iptables logs into /var/log/firewall.log
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
Ralf Heidenreich schrieb:
> Hello,
>
> can you give me an example, how to use the final flag?
> thanks in advance.
>
> regards
> Ralf
>
> Szalay Attila schrieb:
>> Hi,
>>
>> On Fri, 2009-05-29 at 14:15 +0200, Ralf Heidenreich wrote:
>>> Hello,
>>>
>>> I have the following line in iptables:
>>> iptables -A INPUT -j LOG --log-prefix "INPUT: "
>>> In syslog-ng (/etc/syslog-ng/syslog-ng.conf) I have the following config:
>> [...]
>>> filter iptables { match("INPUT:"); };
>>> log { source(s_sys); filter(iptables); destination(iptables); };
>> [...]
>>> filter f_default { level(info..emerg) and
>>> not (facility(mail)
>>> or facility(authpriv)
>>> or facility(cron)); };
>> [...]
>>> log { source(s_sys); filter(f_default); destination(d_mesg); };
>> syslog-ng do not stop the evaluation when a destination is found. And
>> because of this and because the second log statement is matching to the
>> line the syslog-ng store it to the message too.
>>
>> If you want to order the syslog-ng to stop you can use the final
>> directive.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list