[syslog-ng] flags(final)

Michael J. Bauer mjbauer at eecs.tufts.edu
Fri Sep 25 00:00:29 CEST 2009


I think I am misunderstanding what flags(final) is supposed to do.  I'm 
running syslog-ng 2.1.4 on RHEL 5.4 (Tikanga).

I have a fairly simple syslog-ng configuration, which I've attached 
below.  I'm trying to pick off individual groups of log entries and put 
them in their own individual files.  I want to ensure that each gets 
logged exactly once, so I'm using flags(final).  I also have a catch-all 
at the end in case I've missed something, but the ultimate goal is to 
have that file present, but empty.

However, with this configuration, the log entries that appear in 
d_network_address_translation (/var/log/network-address-translation) 
also appear in d_default (/var/log/default) despite the presence of 
flags(final) on an earlier log() line.  Should it work this way?  If so, 
what can I do to get the desired behavior?

Thanks,
MJB

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source s_sys {
        file ("/proc/kmsg" log_prefix("kernel: "));
        unix-stream ("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};

destination d_network_address_translation              { 
file("/var/log/network-address-translation"); };
destination d_default          { file("/var/log/default"); };

filter f_network_address_translation { host("router-service-interface") and
                                       priority(info) and
                                       facility(local2) and
                                       match("FWNAT"); };

log { source(s_sys);
      filter(f_network_address_translation);
      destination(d_network_address_translation);
      flags(final); };
log { source(s_sys);
      destination(d_default); };



More information about the syslog-ng mailing list