[syslog-ng] problem with filtering in syslog-ng
Jerry Bell
jerry at nrdx.com
Tue Feb 23 23:50:48 CET 2010
I am suspicious that the program() filter is not working as expected on
these logs. Can you try to create a separate log file for just ntpd
logs like this?
filter ntpd {program("ntpd"); };
destination d_ntpd { file("/var/log/ntpdtest"); };
log { source(src); filter(ntpd); destination(d_ntpd); };
That would tell us whether the program filter is actually interpreting
the program field properly for these logs.
Jerry
On 2/23/2010 10:58 AM, Evan Baer wrote:
> Same result, the ntpd lines still make it through.
>
>
> On Tue, Feb 23, 2010 at 10:09 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
>
>> Try it without the *
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Baer
>> Sent: 23 February 2010 14:57
>> To: Zoltán Pallagi
>> Cc: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] problem with filtering in syslog-ng
>>
>> The ntpd lines are still falling through. Should I include the
>> final() syntax on all my log lines?
>>
>> filter not_ntpd { not program("ntpd*"); };
>>
>> log { source(src); filter(f_notice); filter(f_not_authpriv);
>> filter(not_ntpd); destination(messages); flags(final); };
>> log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
>> log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
>> log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
>>
>> Here is an example of what we still see in the logs:
>>
>> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on interface #2
>> lo0, 127.0.0.1#123 Enabled
>> Feb 23 09:55:50 hobbit-shn1f0503 ntpd[729]: Listening on routing
>> socket on fd #23 for interface updates
>>
>>
>>
More information about the syslog-ng
mailing list