[syslog-ng] replacing log statements
Scheidler, Balázs
balazs.scheidler at oneidentity.com
Wed Mar 6 15:55:40 UTC 2019
Hi,
In this use-case I would recommend using the "final" flag, e.g. you do this:
log { source(sys); filter(f_cyrus); destination(cyrus); flags(final); };
log { source(sys); filter(f_mesgs); destination(mesg); };
And then, the mesg destination will only receive messages that:
1) cyrus related log statement didn't match
2) and it matches f_mesgs
With this structure you only have to add new log statements (in proper
order though) and don't have to change the "catch-all" log statement at the
end.
It also performs much better and the configuration is more readable.
Bazsi
On Wed, Mar 6, 2019 at 3:01 PM Sergey <a_s_y at sama.ru> wrote:
> On Wednesday 06 March 2019, you wrote:
>
> > Could you share your use case, where you wanted to "replace" log blocks?
>
> My use case is the reducing /var/log/messages when new software installed.
> This can be implemented through the filter override but not so visual.
>
> For example a base config:
>
> ==
> ...
> filter f_mesgs { level(info) and not facility(mail,authpriv); };
> destination mesg { file("/var/log/syslog/messages"); };
>
> log { source(sys); filter(f_mesgs); destination(mesg); };
> ...
> @include "/etc/syslog-ng/conf.d/*.conf"
> ==
>
> Then I install Cyrus-IMAP for example.
>
> == conf.d/cyrus-imap.conf ==
> ...
> filter f_cyrus { match("cyrus/"); };
> filter f_not_cyrus { not match("cyrus/"); };
> ...
> log { source(sys); filter(f_cyrus); destination(cyrus); };
> ==
>
> But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition.
> I can redifine f_mesgs:
>
> filter f_mesgs { level(info) and not facility(mail,authpriv) and
> not match("cyrus/"); };
>
> But the log override is more succinctly:
>
> log { source(sys); filter(f_mesgs); filter (f_not_cyrus);
> destination(mesg); };
>
> In this example, the "f_not_cyrus" filter is simple but they can be
> more complex. The "f_mesg" filter can be difficult to read in the
> result.
>
> --
> Regards, Sergey
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190306/c958076c/attachment.html>
More information about the syslog-ng
mailing list