[syslog-ng] Re : flags(final)

Balazs Scheidler bazsi at balabit.hu
Tue Nov 3 09:02:23 CET 2009


Hi,

I've installed your configuration, and tried it after changing it
somewhat to be able to run it in my environment.

flags(final) worked like a charm.

If you enable --debug and --verbose message for syslog-ng, you can see
as the filter is being evaluated. Your example results in:

Incoming log entry; line='<150>Nov  3 08:59:16 FWNAT: hello'
Filter rule evaluation begins; filter_rule='f_network_address_translation'
Filter node evaluation result; filter_result='match', filter_type='level'
Filter node evaluation result; filter_result='match', filter_type='facility'
Filter node evaluation result; filter_result='match', filter_type='AND'
Filter node evaluation result; filter_result='match'
Filter node evaluation result; filter_result='match', filter_type='AND'
Filter rule evaluation result; filter_result='match', filter_rule='f_network_address_translation'
Initializing destination file writer; template='/home/bazsi/logs/nat', filename='/home/bazsi/logs/nat'
EOF occurred while reading; fd='7'
Syslog connection closed; fd='7', client='AF_UNIX(anonymous)', local='AF_UNIX(log)'
Closing log transport fd; fd='7'


And it only wrote the message to the nat file, not the default file. If the filter
does not match, it writes it in the other file.

Here's the other case (mismatching facility):

Incoming log entry; line='<158>Nov  3 09:01:27 FWNAT: hello'
Filter rule evaluation begins; filter_rule='f_network_address_translation'
Filter node evaluation result; filter_result='match', filter_type='level'
Filter node evaluation result; filter_result='not-match', filter_type='facility'
Filter node evaluation result; filter_result='not-match', filter_type='AND'
Filter node evaluation result; filter_result='not-match', filter_type='AND'
Filter rule evaluation result; filter_result='not-match', filter_rule='f_network_address_translation'
Initializing destination file writer; template='/home/bazsi/logs/default', filename='/home/bazsi/logs/default'
EOF occurred while reading; fd='7'
Syslog connection closed; fd='7', client='AF_UNIX(anonymous)', local='AF_UNIX(log)'
Closing log transport fd; fd='7'

And here's the config file I've tried it with:

@version:3.0

options {
        flush_lines (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source s_sys {
        #file ("/proc/kmsg" program_override("kernel"));
        unix-stream ("log");
        internal();
        #udp(ip(0.0.0.0) port(514));
};

destination d_network_address_translation {
        file("/home/bazsi/logs/nat"
                #flush_lines(10)
                #flush_timeout(1000)
        );
};

destination d_default {
        file("/home/bazsi/logs/default"
                #flush_lines(10)
                #flush_timeout(1000)
        );
};

filter f_network_address_translation {
        #host("hlgn-crtr-01-service") and
        priority(info) and
        facility(local2) and
        match("FWNAT");
};

log {
        source(s_sys);
        filter(f_network_address_translation);
        destination(d_network_address_translation);
        flags(final);
};

log {
        source(s_sys);
        destination(d_default);
};


On Wed, 2009-10-28 at 17:32 -0400, Michael J. Bauer wrote:
> I've upgraded from syslog-ng 2.1.4 to 3.0.4, in case flags(final) was 
> somehow broken in that version.  The upgrade has made no difference: 
> flags(final) still appears to have no effect.
> 
> I am attempting to shunt all entries containing FWNAT into a separate 
> file (network-address-translation), and keep them out of the default 
> destination (default).  The configuration, below, writes the entries to 
> both, despite the presence of flags(final) in a prior log{} statement.
> 
> My understanding based on reading the documentation and various sample 
> configurations is that flags(final) in one log{} statement should 
> preclude the log entry in question from going to any subsequent log{} 
> statement.  Am I misunderstanding how flags(final) works, or should I 
> submit a bug report?  If I'm misunderstanding, please let me know if 
> there is a way to get the behavior I'm describing.
> 
> Thanks,
> MJB
> 
> My syslog-ng 3-ified configuration:
> 
> @version:3.0
> 
> options {
>         flush_lines (0);
>         time_reopen (10);
>         log_fifo_size (1000);
>         long_hostnames (off);
>         use_fqdn (no);
>         create_dirs (no);
>         keep_hostname (yes);
> };
> 
> source s_sys {
>         file ("/proc/kmsg" program_override("kernel"));
>         unix-stream ("/dev/log");
>         internal();
>         udp(ip(0.0.0.0) port(514));
> };
> 
> destination d_network_address_translation {
>         file("/var/log/network-address-translation"
>                 flush_lines(10)
>                 flush_timeout(1000));
> };
> 
> destination d_default {
>         file("/var/log/default"
>                 flush_lines(10)
>                 flush_timeout(1000));
> };
> 
> filter f_network_address_translation {
>         host("hlgn-crtr-01-service") and
>         priority(info) and
>         facility(local2) and
>         match("FWNAT");
> };
> 
> log {
>         source(s_sys);
>         filter(f_network_address_translation);
>         destination(d_network_address_translation);
>         flags(final);
> };
> 
> log {
>         source(s_sys);
>         destination(d_default);
> };
> 
> Michael J. Bauer wrote:
> > That flags(final) is in fact part of the log{} line.  The destination() 
> > is also part of the log{} line, and appears on a line of its own because 
> > of line wrap.  The log{} line is, in one line (and hoping to avoid wrap):
> >
> > log { source(s_sys); filter(f_network_address_translation); 
> > destination(d_network_address_translation); flags(final); };
> >
> > The terminating }; is after flags(final);.  Neither of the real 
> > destination{} lines contain flags(final).
> >
> > MJB
> >
> > srainville at videotron.ca wrote:
> >   
> >> The flags(final) goes at the end of the log statement, not the 
> >> destination.
> >>  
> >> Cheers,
> >>  
> >> Steve
> >> ----- Message d'origine -----
> >> De: "Michael J. Bauer" <mjbauer at eecs.tufts.edu>
> >> Date: Jeudi, 24 Septembre 2009, 23:00
> >> Objet: [syslog-ng] flags(final)
> >> À: syslog-ng at lists.balabit.hu
> >>
> >>     
> >>> I think I am misunderstanding what flags(final) is supposed to
> >>> do.  I'm
> >>> running syslog-ng 2.1.4 on RHEL 5.4 (Tikanga).
> >>>
> >>> I have a fairly simple syslog-ng configuration, which I've
> >>> attached
> >>> below.  I'm trying to pick off individual groups of log
> >>> entries and put
> >>> them in their own individual files.  I want to ensure that
> >>> each gets
> >>> logged exactly once, so I'm using flags(final).  I also
> >>> have a catch-all
> >>> at the end in case I've missed something, but the ultimate goal
> >>> is to
> >>> have that file present, but empty.
> >>>
> >>> However, with this configuration, the log entries that appear in
> >>> d_network_address_translation (/var/log/network-address-
> >>> translation)
> >>> also appear in d_default (/var/log/default) despite the presence
> >>> of
> >>> flags(final) on an earlier log() line.  Should it work this
> >>> way?  If so,
> >>> what can I do to get the desired behavior?
> >>>
> >>> Thanks,
> >>> MJB
> >>>
> >>> options {
> >>>         sync (0);
> >>>         time_reopen (10);
> >>>         log_fifo_size (1000);
> >>>         long_hostnames (off);
> >>>         use_fqdn (no);
> >>>         create_dirs (no);
> >>>         keep_hostname (yes);
> >>> };
> >>>
> >>> source s_sys {
> >>>         file ("/proc/kmsg"
> >>> log_prefix("kernel: "));
> >>>         unix-stream ("/dev/log");
> >>>         internal();
> >>>         udp(ip(0.0.0.0) port(514));
> >>> };
> >>>
> >>> destination
> >>> d_network_address_translation              {
> >>> file("/var/log/network-address-translation"); };
> >>> destination
> >>> d_default          { file("/var/log/default"); };
> >>>
> >>> filter f_network_address_translation { host("router-service-
> >>> interface") and
> >>>                                        priority(info) and
> >>>                                        facility(local2) and
> >>>                                        match("FWNAT"); };
> >>>
> >>> log { source(s_sys);
> >>>       filter(f_network_address_translation);
> >>>      
> >>> destination(d_network_address_translation);      flags(final); };
> >>> log { source(s_sys);
> >>>       destination(d_default); };
> >>>
> >>>
> >>>       
> >> ______________________________________________________________________________
> >>     
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>>
> >>>       
> >> ------------------------------------------------------------------------
> >>
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>   
> >>     
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >   
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi




More information about the syslog-ng mailing list