[syslog-ng] problem with filtering in syslog-ng

[Lance Laursen]

You are defining many log statements for the same source and destination
pair. This is unnecessary and likely causing problems. Since you have one
source (src) that you want to apply many filters to prior to writing out to
(message), you should be consolidating all of your source(src)
destination(messages) into one log command:

log { source(src); filter(not_ntpd); filter(f_notice);
filter(f_not_authpriv); filter(f_kern); filter(f_debug); filter(f_lpr);
filter(f_info); filter(f_mail); filter(f_crit); destination(messages); };

If you want to log to files like /var/log/mail and /var/log/kern.log AS WELL
as /var/log/messages, you can use that statement as-is. If you just want
everything from source(src) to log to /var/log/messages, put a flags(final);
at the end of your log statement, or just simplify and consolidate your log
statement to:
log { source(src); filter(not_ntpd); filter(f_not_authpriv);
destination(messages); };

Remember the placement of your log statement containing flags(final); above
or below your other log statements matters. If syslog-ng matches something
and then sees a flags(final);, it will no longer write that log entry out to
any other file afterwards.


On Tue, Feb 23, 2010 at 6:22 AM, Evan Baer <evan.d.baer at gmail.com> wrote:

> Hello,
>
> I'm trying to exclude ntpd update messages from /var/log/messages.
>
> I have created a filter like so:
>    filter not_ntpd { not program("ntpd*"); };
>
> And implemented it in my log lines:
>
> log { source(src); filter(not_ntpd); destination(messages); };
> log { source(src); filter(f_notice); filter(f_not_authpriv);
> filter(not_ntpd); destination(messages); };
> log { source(src); filter(f_kern); filter(f_debug); filter(not_ntpd);
> destination(messages); };
> log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
> log { source(src); filter(f_mail); filter(f_crit); destination(messages);
> };
>
> Yet the lines for ntpd still seem to pass through to the logfile.
>
> Feb 23 09:20:48 magpie-shn1e1324 ntpd[37397]: synchronized to
> 10.2.253.22, stratum 1
> Feb 23 09:20:49 magpie-shn1f1318 ntpd[729]: kernel time sync status change
> 2001
>
> Any thoughts?
>    -- Evan
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>



-- 
Lance Laursen
Demonware Systems Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100223/ba6e12f2/attachment.htm