[syslog-ng] Re : flags(final)
Michael J. Bauer
mjbauer at eecs.tufts.edu
Wed Oct 28 22:32:45 CET 2009
I've upgraded from syslog-ng 2.1.4 to 3.0.4, in case flags(final) was
somehow broken in that version. The upgrade has made no difference:
flags(final) still appears to have no effect.
I am attempting to shunt all entries containing FWNAT into a separate
file (network-address-translation), and keep them out of the default
destination (default). The configuration, below, writes the entries to
both, despite the presence of flags(final) in a prior log{} statement.
My understanding based on reading the documentation and various sample
configurations is that flags(final) in one log{} statement should
preclude the log entry in question from going to any subsequent log{}
statement. Am I misunderstanding how flags(final) works, or should I
submit a bug report? If I'm misunderstanding, please let me know if
there is a way to get the behavior I'm describing.
Thanks,
MJB
My syslog-ng 3-ified configuration:
@version:3.0
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel"));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
};
destination d_network_address_translation {
file("/var/log/network-address-translation"
flush_lines(10)
flush_timeout(1000));
};
destination d_default {
file("/var/log/default"
flush_lines(10)
flush_timeout(1000));
};
filter f_network_address_translation {
host("hlgn-crtr-01-service") and
priority(info) and
facility(local2) and
match("FWNAT");
};
log {
source(s_sys);
filter(f_network_address_translation);
destination(d_network_address_translation);
flags(final);
};
log {
source(s_sys);
destination(d_default);
};
Michael J. Bauer wrote:
> That flags(final) is in fact part of the log{} line. The destination()
> is also part of the log{} line, and appears on a line of its own because
> of line wrap. The log{} line is, in one line (and hoping to avoid wrap):
>
> log { source(s_sys); filter(f_network_address_translation);
> destination(d_network_address_translation); flags(final); };
>
> The terminating }; is after flags(final);. Neither of the real
> destination{} lines contain flags(final).
>
> MJB
>
> srainville at videotron.ca wrote:
>
>> The flags(final) goes at the end of the log statement, not the
>> destination.
>>
>> Cheers,
>>
>> Steve
>> ----- Message d'origine -----
>> De: "Michael J. Bauer" <mjbauer at eecs.tufts.edu>
>> Date: Jeudi, 24 Septembre 2009, 23:00
>> Objet: [syslog-ng] flags(final)
>> À: syslog-ng at lists.balabit.hu
>>
>>
>>> I think I am misunderstanding what flags(final) is supposed to
>>> do. I'm
>>> running syslog-ng 2.1.4 on RHEL 5.4 (Tikanga).
>>>
>>> I have a fairly simple syslog-ng configuration, which I've
>>> attached
>>> below. I'm trying to pick off individual groups of log
>>> entries and put
>>> them in their own individual files. I want to ensure that
>>> each gets
>>> logged exactly once, so I'm using flags(final). I also
>>> have a catch-all
>>> at the end in case I've missed something, but the ultimate goal
>>> is to
>>> have that file present, but empty.
>>>
>>> However, with this configuration, the log entries that appear in
>>> d_network_address_translation (/var/log/network-address-
>>> translation)
>>> also appear in d_default (/var/log/default) despite the presence
>>> of
>>> flags(final) on an earlier log() line. Should it work this
>>> way? If so,
>>> what can I do to get the desired behavior?
>>>
>>> Thanks,
>>> MJB
>>>
>>> options {
>>> sync (0);
>>> time_reopen (10);
>>> log_fifo_size (1000);
>>> long_hostnames (off);
>>> use_fqdn (no);
>>> create_dirs (no);
>>> keep_hostname (yes);
>>> };
>>>
>>> source s_sys {
>>> file ("/proc/kmsg"
>>> log_prefix("kernel: "));
>>> unix-stream ("/dev/log");
>>> internal();
>>> udp(ip(0.0.0.0) port(514));
>>> };
>>>
>>> destination
>>> d_network_address_translation {
>>> file("/var/log/network-address-translation"); };
>>> destination
>>> d_default { file("/var/log/default"); };
>>>
>>> filter f_network_address_translation { host("router-service-
>>> interface") and
>>> priority(info) and
>>> facility(local2) and
>>> match("FWNAT"); };
>>>
>>> log { source(s_sys);
>>> filter(f_network_address_translation);
>>>
>>> destination(d_network_address_translation); flags(final); };
>>> log { source(s_sys);
>>> destination(d_default); };
>>>
>>>
>>>
>> ______________________________________________________________________________
>>
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>> ------------------------------------------------------------------------
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list