[syslog-ng] problem with filtering in syslog-ng

Balazs Scheidler bazsi at balabit.hu
Sat Mar 6 11:01:30 CET 2010

On Tue, 2010-02-23 at 14:57 -0800, Lance Laursen wrote:
> You are defining many log statements for the same source and
> destination pair. This is unnecessary and likely causing problems.
> Since you have one source (src) that you want to apply many filters to
> prior to writing out to (message), you should be consolidating all of
> your source(src) destination(messages) into one log command:
> log { source(src); filter(not_ntpd); filter(f_notice);
> filter(f_not_authpriv); filter(f_kern); filter(f_debug);
> filter(f_lpr); filter(f_info); filter(f_mail); filter(f_crit);
> destination(messages); };
> If you want to log to files like /var/log/mail and /var/log/kern.log
> AS WELL as /var/log/messages, you can use that statement as-is. If you
> just want everything from source(src) to log to /var/log/messages, put
> a flags(final); at the end of your log statement, or just simplify and
> consolidate your log statement to:
> log { source(src); filter(not_ntpd); filter(f_not_authpriv);
> destination(messages); };
> Remember the placement of your log statement containing flags(final);
> above or below your other log statements matters. If syslog-ng matches
> something and then sees a flags(final);, it will no longer write that
> log entry out to any other file afterwards.

It might also be useful to know that syslog-ng starting with 3.0
supports embedded log statements, e.g. you can do things like:

log { source(src); filter(f_filter1);
	log { filter(f_filter2); destination(d_dst1); };
	log { filter(f_filter3); destination(d_dst2); };

e.g. d_dst1 would receive filter1 && filter2
     d_dst2 would receive filter1 && filter3

this will reduce the number of "final" flags needed for a given
configuration, and also reduce the number of operations needed to
process a message.


More information about the syslog-ng mailing list