[syslog-ng] syslog-ng 3.5.1 - question about flags(final)...

Johnson, Chris (HP TippingPoint Roseville) chris.johnson3 at hp.com
Mon Nov 18 23:02:25 CET 2013 

Hello all,

I'm in the process of upgrading from version 3.3.9 to 3.5.1 and have a question about how the 'flags(final);' is working in 3.5.1.

In 3.3.9, I use the following structure of imbedded log statements:
################################################################################
# Service ipsec
#
filter f_ipsec_pgm{program("IPSEC-*" type("glob"))
        or program("IKE-*" type("glob"))
        or program("CHARON-*" type("glob"))
        or program("charon-*" type("glob"));
};
filter f_ipsec_lvl_01{level(warning..emerg)};
filter f_ipsec_lvl_02{level(info..emerg)};
log {
        source(s_local);
        filter(f_ipsec_pgm);
        log {
                filter(f_ipsec_lvl_01);
                destination(d_logID_11);
        };
        log {
                filter(f_ipsec_lvl_02);
                rewrite(r_quote_newlines);
                destination(d_logID_13);
        };
        flags(final);
};

In this case log messages of the 'correct' program would further be filtered on their severity level.

*         Info level messages would only be sent to 'd_logID_13'

*         Warning level messages (and above) would be sent to BOTH 'd_logID_11' and 'd_logID_13'.

*         Debug level messages would be discarded.
Under 3.5.1, the 'filtering ' stops after it matches once:

*         Warning messages (and above) are only sent to 'd_logID_11' and NOT 'd_logID_13'.

*         Info messages are still (correctly) being sent only to 'd_logID_13'.
If I remove (or comment out) the 'flags(final);' statement, messages are filtered correctly (i.e. the way I *want* them to be filtered :))
except that they also are being processed by all the following log statements and are being caught in my final filter of 'program("*" type("glob"))'.
NOTE: yes, I know that I could use 'flags(fallback)' in my final filter, but that would still have every message processed by every log filter, and I would like to avoid that.

So, what would be the correct way to set up my log statement to re-create the 3.3 behavior?

Thanks,
Chris

----------------------------------------
Christopher Johnson
chris.johnson3 at hp.com<mailto:chris.johnson3 at hp.com>
HP Software - Security Product Group
(916) 785-2817
----------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20131118/23151725/attachment-0001.htm

More information about the syslog-ng mailing list