[syslog-ng] Confusion on number of filters
James Lay
jlay at slave-tothe-box.net
Thu Jan 15 21:22:23 CET 2015
Hey all,
Here's what I have...one source:
source s_local {
unix-stream("/dev/log");
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
file("/proc/kmsg");
};
three destinations:
destination d_file { file("/var/log/messages"); };
destination d_syslogserver { udp ("x.x.x.x", port(514)); };
destination d_logontype { udp ("x.x.x.x", port(515)); };
and a few filters:
filter f_syslogfilter {
message("0x0004")
};
filter f_firewall {
program("firewall")
};
filter f_logontype {
message("Logon")
};
With the below log entry running with -F -d, I will only get the first
2 of the three filters evaluated:
log {
source(s_local);
filter(f_syslogfilter);
destination(d_file);
filter(f_firewall);
destination(d_syslogserver);
filter(f_logontype);
destination(d_logontype);
};
but after splitting them out I see all three evaluated:
log {
source(s_local);
filter(f_syslogfilter);
destination(d_file);
};
log {
source(s_local);
filter(f_firewall);
destination(d_syslogserver);
};
log {
source(s_local);
filter(f_logontype10);
destination(d_logontype10);
};
Is there a reason or limit or documentation for this? I can verify
that the log entry passed for "Logon" in my testing didn't match the
previous two filters. Version is 3.3.11. Thank you.
James
More information about the syslog-ng
mailing list