[syslog-ng] Confusion on number of filters

James Lay jlay at slave-tothe-box.net
Fri Jan 16 18:47:38 CET 2015 

On 2015-01-16 10:38 AM, Evan Rempel wrote:
> In my environment I use the structure
>
> log { source(s_local);
>
>      log { filter(f_syslogfilter);  destination(d_file); };
>      log { filter(f_firewall); destination(d_syslogserver); };
>      log { filter(f_logontype10); destination(d_logontype10); };
> };
>
>
> with great success.
>
> On 01/16/2015 09:26 AM, James Lay wrote:
>> On 2015-01-15 01:22 PM, James Lay wrote:
>>> Hey all,
>>>
>>> Here's what I have...one source:
>>>
>>> source s_local {
>>>          unix-stream("/dev/log");
>>>          udp(ip(0.0.0.0) port(514));
>>>          tcp(ip(0.0.0.0) port(514));
>>>          file("/proc/kmsg");
>>> };
>>>
>>>
>>> three destinations:
>>> destination d_file { file("/var/log/messages"); };
>>> destination d_syslogserver { udp ("x.x.x.x", port(514)); };
>>> destination d_logontype { udp ("x.x.x.x", port(515)); };
>>>
>>>
>>> and a few filters:
>>> filter f_syslogfilter {
>>>          message("0x0004")
>>> };
>>>
>>> filter f_firewall {
>>>          program("firewall")
>>> };
>>>
>>> filter f_logontype {
>>>          message("Logon")
>>> };
>>>
>>>
>>> With the below log entry running with -F -d, I will only get the
>>> first 2 of the three filters evaluated:
>>> log {
>>>          source(s_local);
>>>          filter(f_syslogfilter);
>>>          destination(d_file);
>>>          filter(f_firewall);
>>>          destination(d_syslogserver);
>>>          filter(f_logontype);
>>>          destination(d_logontype);
>>> };
>>>
>>> but after splitting them out I see all three evaluated:
>>>
>>> log {
>>>          source(s_local);
>>>          filter(f_syslogfilter);
>>>          destination(d_file);
>>> };
>>>
>>> log {
>>>          source(s_local);
>>>          filter(f_firewall);
>>>          destination(d_syslogserver);
>>> };
>>>
>>> log {
>>>          source(s_local);
>>>          filter(f_logontype10);
>>>          destination(d_logontype10);
>>> };
>>>
>>> Is there a reason or limit or documentation for this?  I can verify
>>> that the log entry passed for "Logon" in my testing didn't match 
>>> the
>>> previous two filters.  Version is 3.3.11.  Thank you.
>>>
>>> James
>> So more on this...in my production environment, the above splitting 
>> the
>> log entries didn't log anything after I put it in place.  Does 
>> anyone
>> have any pointers for a single source, with multiple filters and
>> destinations?  Thank you.
>>
>> James

Thank you...I will give that a shot.

James

More information about the syslog-ng mailing list