[syslog-ng] syslog-ng 3.5.1 - question about flags(final)...

Mon Nov 25 23:36:16 CET 2013

*ping* :)

Chris

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Tuesday, November 19, 2013 4:21 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] syslog-ng 3.5.1 - question about flags(final)...

Hi,

This seems to be a bug. I'll have to put it aside for now, but I'll try to work on this ASAP. Just Evan also posted some details about a bug of his and I'd like to work on that first.

If you don't hear from me in 2 days, feel free to ping me.

Cheers,
Bazsi

On Mon, 2013-11-18 at 22:02 +0000, Johnson, Chris (HP TippingPoint
Roseville) wrote:
> Hello all,
> 
>  
> 
> I'm in the process of upgrading from version 3.3.9 to 3.5.1 and have a 
> question about how the 'flags(final);' is working in 3.5.1.
> 
>  
> 
> In 3.3.9, I use the following structure of imbedded log statements:
> 
> ######################################################################
> ##########
> 
> # Service ipsec
> 
> #
> 
> filter f_ipsec_pgm{program("IPSEC-*" type("glob"))
> 
>         or program("IKE-*" type("glob"))
> 
>         or program("CHARON-*" type("glob"))
> 
>         or program("charon-*" type("glob"));
> 
> };
> 
> filter f_ipsec_lvl_01{level(warning..emerg)};
> 
> filter f_ipsec_lvl_02{level(info..emerg)};
> 
> log {
> 
>         source(s_local);
> 
>         filter(f_ipsec_pgm);
> 
>         log {
> 
>                 filter(f_ipsec_lvl_01);
> 
>                 destination(d_logID_11);
> 
>         };
> 
>         log {
> 
>                 filter(f_ipsec_lvl_02);
> 
>                 rewrite(r_quote_newlines);
> 
>                 destination(d_logID_13);
> 
>         };
> 
>         flags(final);
> 
> };
> 
>  
> 
> In this case log messages of the 'correct' program would further be 
> filtered on their severity level.
> 
> ·        Info level messages would only be sent to 'd_logID_13'
> 
> ·        Warning level messages (and above) would be sent to BOTH
> 'd_logID_11' and 'd_logID_13'.
> 
> ·        Debug level messages would be discarded.
> 
> Under 3.5.1, the 'filtering ' stops after it matches once:
> 
> ·        Warning messages (and above) are only sent to 'd_logID_11'
> and NOT 'd_logID_13'.
> 
> ·        Info messages are still (correctly) being sent only to
> 'd_logID_13'.
> 
> If I remove (or comment out) the 'flags(final);' statement, messages 
> are filtered correctly (i.e. the way I *want* them to be filtered J)
> 
> except that they also are being processed by all the following log 
> statements and are being caught in my final filter of 'program("*"
> type("glob"))'.
> 
> NOTE: yes, I know that I could use 'flags(fallback)' in my final 
> filter, but that would still have every message processed by every log 
> filter, and I would like to avoid that.
> 
>  
> 
> So, what would be the correct way to set up my log statement to 
> re-create the 3.3 behavior?

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq