[syslog-ng] config with many rules

Balazs Scheidler bazsi at balabit.hu
Fri Sep 18 22:21:50 CEST 2009


On Fri, 2009-09-18 at 23:47 +0400, Vasiliy G Tolstov wrote:
> Hello. I'm new in this list, and may be my quistion answered already,
> but i can't founded any solutions:
> 
> Problem:
> I have many filters, like this
> filter ff_auth { program(sshd) or program(dropbear) or facility(auth,
> authpriv); };
> filter ff_cron { facility(cron); };
> filter ff_daemon { facility(daemon); };
> filter ff_user { facility(user); };
> filter ff_debug { not facility(auth, authpriv, news, mail); };
> filter ff_scm { program(git-daemon); };
> filter ff_db { program(postgres) or program (mysql); };
> filter ff_mail { facility(mail); };
> filter ff_ftp { program(vsftpd) or program(proftpd); };
> filter ff_rsync { program(rsync); };
> filter ff_snmp { program(snmpd); };
> filter ff_named { program(named); };
> filter fl_alert { level(alert); };
> filter fl_crit { level(crit); };
> filter fl_err { level(err); };
> filter fl_warn { level(warn); };
> filter fl_notice { level(notice); };
> filter fl_info { level(info); };
> filter fl_debug { level(debug); };
> 
> 
> If i want to add new filter to select kernel messages, that does not
> contain already defained data
> filter ff_kernel { facility(kern) and not match(firewall) and not
> match(mail) and not match(snmp) and not match(vsftpd) and not
> match(firewall); .....};
> I think - not best solution to write all filters in not match and not
> program.
> 
> Solution:
> Can You provide some help, how can i reduce unneded strings, may be not
> like ff_db and not like ff_debug ?
> 
> P.S. Sorry if my english is bad and i can't fully discribe problem.
> 

you probably need 'flags(final)' on your log statements.

-- 
Bazsi




More information about the syslog-ng mailing list