[syslog-ng] Question about syntax for source

[Matthew Hall]

On Fri, Apr 08, 2011 at 11:52:19AM -0500, Phusion wrote:
> I'm still having problems getting the kernel messages. I currently
> have the following. This is 3.1.1 in OpenBSD 4.8.
> 
> @version: 3.0
> options { keep_hostname(yes); long_hostnames(off); flush_lines(0); };
> source local { internal(); pipe("/dev/klog"
> program_override("kernel")); unix-dgram("/dev/log"); };
> destination ls_kernel { file("/var/log/kernel.log"); };
> filter f_kernel { match("kernel" value("MESSAGE")); };
> filter f_server { host("server"); };
> log { source(local); filter(f_server); filter(f_kernel);
> destination(ls_kernel); };
> 
> Please advise.
> Phusion

My advice: take a default config file from $BSD.

Then back up yours and replace it.

See if you can get it to work with the default file before proceeding 
with a custom file.

Enable foreground operation and some verbose stderr logging to watch 
what it does when it works:

  -F, --foreground    Do not go into the background after initialization

Log options
  -v, --verbose    Be a bit more verbose
  -d, --debug      Enable debug messages
  -t, --trace      Enable trace messages
  -e, --stderr     Log messages to stderr

Basically, start from the absolute basics and work your way up from 
there to your custom setup.

I think that your filters could be backwards from what you want because 
matching against a filter means it gets filtered out.

The debug logs will help you verify these things. You also want to read 
the manual to verify the meaning of every config option you are using in 
case they have unexpected side effects.

Matthew.