[syslog-ng] Re : flags(final)

Michael J. Bauer mjbauer at eecs.tufts.edu
Wed Oct 28 22:32:45 CET 2009


I've upgraded from syslog-ng 2.1.4 to 3.0.4, in case flags(final) was 
somehow broken in that version.  The upgrade has made no difference: 
flags(final) still appears to have no effect.

I am attempting to shunt all entries containing FWNAT into a separate 
file (network-address-translation), and keep them out of the default 
destination (default).  The configuration, below, writes the entries to 
both, despite the presence of flags(final) in a prior log{} statement.

My understanding based on reading the documentation and various sample 
configurations is that flags(final) in one log{} statement should 
preclude the log entry in question from going to any subsequent log{} 
statement.  Am I misunderstanding how flags(final) works, or should I 
submit a bug report?  If I'm misunderstanding, please let me know if 
there is a way to get the behavior I'm describing.

Thanks,
MJB

My syslog-ng 3-ified configuration:

@version:3.0

options {
        flush_lines (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source s_sys {
        file ("/proc/kmsg" program_override("kernel"));
        unix-stream ("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};

destination d_network_address_translation {
        file("/var/log/network-address-translation"
                flush_lines(10)
                flush_timeout(1000));
};

destination d_default {
        file("/var/log/default"
                flush_lines(10)
                flush_timeout(1000));
};

filter f_network_address_translation {
        host("hlgn-crtr-01-service") and
        priority(info) and
        facility(local2) and
        match("FWNAT");
};

log {
        source(s_sys);
        filter(f_network_address_translation);
        destination(d_network_address_translation);
        flags(final);
};

log {
        source(s_sys);
        destination(d_default);
};

Michael J. Bauer wrote:
> That flags(final) is in fact part of the log{} line.  The destination() 
> is also part of the log{} line, and appears on a line of its own because 
> of line wrap.  The log{} line is, in one line (and hoping to avoid wrap):
>
> log { source(s_sys); filter(f_network_address_translation); 
> destination(d_network_address_translation); flags(final); };
>
> The terminating }; is after flags(final);.  Neither of the real 
> destination{} lines contain flags(final).
>
> MJB
>
> srainville at videotron.ca wrote:
>   
>> The flags(final) goes at the end of the log statement, not the 
>> destination.
>>  
>> Cheers,
>>  
>> Steve
>> ----- Message d'origine -----
>> De: "Michael J. Bauer" <mjbauer at eecs.tufts.edu>
>> Date: Jeudi, 24 Septembre 2009, 23:00
>> Objet: [syslog-ng] flags(final)
>> À: syslog-ng at lists.balabit.hu
>>
>>     
>>> I think I am misunderstanding what flags(final) is supposed to
>>> do.  I'm
>>> running syslog-ng 2.1.4 on RHEL 5.4 (Tikanga).
>>>
>>> I have a fairly simple syslog-ng configuration, which I've
>>> attached
>>> below.  I'm trying to pick off individual groups of log
>>> entries and put
>>> them in their own individual files.  I want to ensure that
>>> each gets
>>> logged exactly once, so I'm using flags(final).  I also
>>> have a catch-all
>>> at the end in case I've missed something, but the ultimate goal
>>> is to
>>> have that file present, but empty.
>>>
>>> However, with this configuration, the log entries that appear in
>>> d_network_address_translation (/var/log/network-address-
>>> translation)
>>> also appear in d_default (/var/log/default) despite the presence
>>> of
>>> flags(final) on an earlier log() line.  Should it work this
>>> way?  If so,
>>> what can I do to get the desired behavior?
>>>
>>> Thanks,
>>> MJB
>>>
>>> options {
>>>         sync (0);
>>>         time_reopen (10);
>>>         log_fifo_size (1000);
>>>         long_hostnames (off);
>>>         use_fqdn (no);
>>>         create_dirs (no);
>>>         keep_hostname (yes);
>>> };
>>>
>>> source s_sys {
>>>         file ("/proc/kmsg"
>>> log_prefix("kernel: "));
>>>         unix-stream ("/dev/log");
>>>         internal();
>>>         udp(ip(0.0.0.0) port(514));
>>> };
>>>
>>> destination
>>> d_network_address_translation              {
>>> file("/var/log/network-address-translation"); };
>>> destination
>>> d_default          { file("/var/log/default"); };
>>>
>>> filter f_network_address_translation { host("router-service-
>>> interface") and
>>>                                        priority(info) and
>>>                                        facility(local2) and
>>>                                        match("FWNAT"); };
>>>
>>> log { source(s_sys);
>>>       filter(f_network_address_translation);
>>>      
>>> destination(d_network_address_translation);      flags(final); };
>>> log { source(s_sys);
>>>       destination(d_default); };
>>>
>>>
>>>       
>> ______________________________________________________________________________
>>     
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>       
>> ------------------------------------------------------------------------
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>   
>>     
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   


More information about the syslog-ng mailing list