[syslog-ng] Confusion on number of filters

Sandor Geller sandor.geller at ericsson.com
Fri Jan 16 09:40:13 CET 2015 

Hi!

On 01/15/2015 09:22 PM, James Lay wrote:
> Hey all,
>
> Here's what I have...one source:
>
> source s_local {
>           unix-stream("/dev/log");
>           udp(ip(0.0.0.0) port(514));
>           tcp(ip(0.0.0.0) port(514));
>           file("/proc/kmsg");
> };

Just an FYI but this config should get updated. You could use the 
system() driver which will preoperly set up /dev/log and /proc/kmsg on 
linux.

> three destinations:
> destination d_file { file("/var/log/messages"); };
> destination d_syslogserver { udp ("x.x.x.x", port(514)); };
> destination d_logontype { udp ("x.x.x.x", port(515)); };
>
>
> and a few filters:
> filter f_syslogfilter {
>           message("0x0004")
> };
>
> filter f_firewall {
>           program("firewall")
> };
>
> filter f_logontype {
>           message("Logon")
> };
>
>
> With the below log entry running with -F -d, I will only get the first
> 2 of the three filters evaluated:
> log {
>           source(s_local);
>           filter(f_syslogfilter);
>           destination(d_file);
>           filter(f_firewall);
>           destination(d_syslogserver);
>           filter(f_logontype);
>           destination(d_logontype);
> };

In this log statement when a filter does *NOT* match then further 
filters aren't evaluated.

> but after splitting them out I see all three evaluated:
>
> log {
>           source(s_local);
>           filter(f_syslogfilter);
>           destination(d_file);
> };
>
> log {
>           source(s_local);
>           filter(f_firewall);
>           destination(d_syslogserver);
> };
>
> log {
>           source(s_local);
>           filter(f_logontype10);
>           destination(d_logontype10);
> };
>
> Is there a reason or limit or documentation for this?  I can verify
> that the log entry passed for "Logon" in my testing didn't match the
> previous two filters.  Version is 3.3.11.  Thank you.

Your two configs aren't equivalent. See section 8.3.1 of the 3.6 OSE 
admin guide how filters are evaluated. The guide also contains how to 
use embedded log statements, I guess this is what you were after with 
the first configuration.

hth,

Sandor

More information about the syslog-ng mailing list