[syslog-ng] problem with filtering in syslog-ng
Evan Baer
evan.d.baer at gmail.com
Tue Feb 23 15:56:41 CET 2010
The ntpd lines are still falling through. Should I include the
final() syntax on all my log lines?
filter not_ntpd { not program("ntpd*"); };
log { source(src); filter(f_notice); filter(f_not_authpriv);
filter(not_ntpd); destination(messages); flags(final); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
Here is an example of what we still see in the logs:
Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on interface #2
lo0, 127.0.0.1#123 Enabled
Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on routing
socket on fd #23 for interface updates
On Tue, Feb 23, 2010 at 9:40 AM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
> Hi Evan,
>
> use the final flag in this log path.
> For example:
>
> log { source(src); filter(f_kern); filter(f_debug); filter(not_ntpd);
> destination(messages); flags(final); };
>
> For more information see our documentation:
> http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s03.html
>
> Evan Baer wrote:
>>
>> Hello,
>>
>> I'm trying to exclude ntpd update messages from /var/log/messages.
>>
>> I have created a filter like so:
>> filter not_ntpd { not program("ntpd*"); };
>>
>> And implemented it in my log lines:
>>
>> log { source(src); filter(not_ntpd); destination(messages); };
>> log { source(src); filter(f_notice); filter(f_not_authpriv);
>> filter(not_ntpd); destination(messages); };
>> log { source(src); filter(f_kern); filter(f_debug); filter(not_ntpd);
>> destination(messages); };
>> log { source(src); filter(f_lpr); filter(f_info); destination(messages);
>> };
>> log { source(src); filter(f_mail); filter(f_crit); destination(messages);
>> };
>>
>> Yet the lines for ntpd still seem to pass through to the logfile.
>>
>> Feb 23 09:20:48 magpie-shn1e1324 ntpd[37397]: synchronized to
>> 10.2.253.22, stratum 1
>> Feb 23 09:20:49 magpie-shn1f1318 ntpd[729]: kernel time sync status change
>> 2001
>>
>> Any thoughts?
>> -- Evan
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
>
> --
> pzolee
>
>
More information about the syslog-ng
mailing list