[syslog-ng] syslog-ng 3.5.1 - question about flags(final)...
Johnson, Chris (HP TippingPoint Roseville)
chris.johnson3 at hp.com
Mon Nov 18 23:02:25 CET 2013
Hello all,
I'm in the process of upgrading from version 3.3.9 to 3.5.1 and have a question about how the 'flags(final);' is working in 3.5.1.
In 3.3.9, I use the following structure of imbedded log statements:
################################################################################
# Service ipsec
#
filter f_ipsec_pgm{program("IPSEC-*" type("glob"))
or program("IKE-*" type("glob"))
or program("CHARON-*" type("glob"))
or program("charon-*" type("glob"));
};
filter f_ipsec_lvl_01{level(warning..emerg)};
filter f_ipsec_lvl_02{level(info..emerg)};
log {
source(s_local);
filter(f_ipsec_pgm);
log {
filter(f_ipsec_lvl_01);
destination(d_logID_11);
};
log {
filter(f_ipsec_lvl_02);
rewrite(r_quote_newlines);
destination(d_logID_13);
};
flags(final);
};
In this case log messages of the 'correct' program would further be filtered on their severity level.
* Info level messages would only be sent to 'd_logID_13'
* Warning level messages (and above) would be sent to BOTH 'd_logID_11' and 'd_logID_13'.
* Debug level messages would be discarded.
Under 3.5.1, the 'filtering ' stops after it matches once:
* Warning messages (and above) are only sent to 'd_logID_11' and NOT 'd_logID_13'.
* Info messages are still (correctly) being sent only to 'd_logID_13'.
If I remove (or comment out) the 'flags(final);' statement, messages are filtered correctly (i.e. the way I *want* them to be filtered :))
except that they also are being processed by all the following log statements and are being caught in my final filter of 'program("*" type("glob"))'.
NOTE: yes, I know that I could use 'flags(fallback)' in my final filter, but that would still have every message processed by every log filter, and I would like to avoid that.
So, what would be the correct way to set up my log statement to re-create the 3.3 behavior?
Thanks,
Chris
----------------------------------------
Christopher Johnson
chris.johnson3 at hp.com<mailto:chris.johnson3 at hp.com>
HP Software - Security Product Group
(916) 785-2817
----------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20131118/23151725/attachment-0001.htm
More information about the syslog-ng
mailing list