[syslog-ng] problem with filtering in syslog-ng
Fegan, Joe
Joe.Fegan at hp.com
Tue Feb 23 20:03:35 CET 2010
> log { source(src); filter(f_notice); filter(f_not_authpriv);
> filter(not_ntpd); destination(messages); flags(final); };
Question for everyone: If you have multiple filters in a single log statement does syslog-ng "OR" them or does it "AND" them? The former might explain this behaviour...
Joe.
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Baer
Sent: 23 February 2010 15:59
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] problem with filtering in syslog-ng
Same result, the ntpd lines still make it through.
On Tue, Feb 23, 2010 at 10:09 AM, Fegan, Joe <Joe.Fegan at hp.com> wrote:
> Try it without the *
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Baer
> Sent: 23 February 2010 14:57
> To: Zoltán Pallagi
> Cc: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] problem with filtering in syslog-ng
>
> The ntpd lines are still falling through. Should I include the
> final() syntax on all my log lines?
>
> filter not_ntpd { not program("ntpd*"); };
>
> log { source(src); filter(f_notice); filter(f_not_authpriv);
> filter(not_ntpd); destination(messages); flags(final); };
> log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
> log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
> log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
>
> Here is an example of what we still see in the logs:
>
> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on interface #2
> lo0, 127.0.0.1#123 Enabled
> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on routing
> socket on fd #23 for interface updates
>
>
> On Tue, Feb 23, 2010 at 9:40 AM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
>> Hi Evan,
>>
>> use the final flag in this log path.
>> For example:
>>
>> log { source(src); filter(f_kern); filter(f_debug); filter(not_ntpd);
>> destination(messages); flags(final); };
>>
>> For more information see our documentation:
>> http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s03.html
>>
>> Evan Baer wrote:
>>>
>>> Hello,
>>>
>>> I'm trying to exclude ntpd update messages from /var/log/messages.
>>>
>>> I have created a filter like so:
>>> filter not_ntpd { not program("ntpd*"); };
>>>
>>> And implemented it in my log lines:
>>>
>>> log { source(src); filter(not_ntpd); destination(messages); };
>>> log { source(src); filter(f_notice); filter(f_not_authpriv);
>>> filter(not_ntpd); destination(messages); };
>>> log { source(src); filter(f_kern); filter(f_debug); filter(not_ntpd);
>>> destination(messages); };
>>> log { source(src); filter(f_lpr); filter(f_info); destination(messages);
>>> };
>>> log { source(src); filter(f_mail); filter(f_crit); destination(messages);
>>> };
>>>
>>> Yet the lines for ntpd still seem to pass through to the logfile.
>>>
>>> Feb 23 09:20:48 magpie-shn1e1324 ntpd[37397]: synchronized to
>>> 10.2.253.22, stratum 1
>>> Feb 23 09:20:49 magpie-shn1f1318 ntpd[729]: kernel time sync status change
>>> 2001
>>>
>>> Any thoughts?
>>> -- Evan
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>>
>> --
>> pzolee
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list