[syslog-ng] seems like program filter is broken
Péter, Kókai
peter.kokai at oneidentity.com
Wed Mar 20 07:01:33 UTC 2019
Hello,
Is it possible that the *dovcot* application sends those logs via
*/dev/klog* ? Because in your configuration for that source the program is
replaced with *kernel*.
I tried the *program* filter with freebsd 12 + syslog-ng 3.20.1 with the
following configuration:
@version: 3.20
log {
source { internal(); };
if {
filter( program("syslog-ng"); };
rewrite { set(":)" value(".FILTER")); };
}
else {
rewrite { set(":(" value(".FILTER")); };
}
destination { file("/dev/stdout" template("${.FILTER}\n")); };
};
starting with syslog-ng -F
The result seemed to be positive => :)
--
Kokan
On Wed, Mar 20, 2019 at 4:41 AM Stanislav <me at rooty.name> wrote:
> Greetings,
>
> I'm getting this issue after my last package upgrade
>
> ======================================
> Name : syslog-ng
> Version : 3.20.1
> Installed on : Mon Mar 11 23:27:29 2019 EET
> Origin : sysutils/syslog-ng
> Architecture : FreeBSD:12:amd64
> Prefix : /usr/local
> Categories : sysutils
> Licenses :
> Maintainer : cy at FreeBSD.org
> WWW : http://www.syslog-ng.org/
> Comment : Powerful syslogd replacement
> Options :
> AMQP : off
> CURL : off
> DOCS : on
> GEOIP2 : off
> IPV6 : off
> JAVA : off
> JAVA_MOD : off
> JSON : on
> MONGO : off
> PYTHON : off
> REDIS : off
> RIEMANN : off
> SMTP : off
> SPOOF : off
> SQL : off
> TCP_WRAPPERS : off
> ======================================
>
>
>
> I have following configuration:
>
> options { chain_hostnames(off); flush_lines(0); threaded(yes);
> create_dirs(yes); };
> source local {
> internal();
> unix-dgram( "/var/run/log" owner(root) group(wheel)
> perm(0666) );
> unix-dgram( "/var/run/logpriv" owner(root) group(wheel)
> perm(0600) );
> file( "/dev/klog" program_override("kernel") );
> };
> ...
> destination all { file("/var/log/all.log"); };
> destination maillog_mda { file("/var/log/maillog-mda"); };
> ...
> filter p_mail_imap { program("dovecot"); };
> ...
> log { source(local); destination(all); };
> log { source(local); filter(p_mail_imap); destination(maillog_mda); };
> ======================================
> # ps auxww|grep dovecot
> root 9648 0.0 0.1 13268 4196 - Is 00:46 0:00.04
> /usr/local/sbin/dovecot -c /usr/local/etc/dovecot/dovecot.conf
> dovecot 9651 0.0 0.0 12724 3784 - I 00:46 0:00.01
> anvil: [2 connections] (anvil)
> root 15259 0.0 0.0 12796 4168 - I 01:42 0:00.00
> dovecot/log
> root 16126 0.0 0.1 13744 5020 - I 01:52 0:00.02
> dovecot/config
> dovecot 16127 0.0 0.0 12724 4180 - I 01:52 0:00.01
> stats: [3 connections] (stats)
> dovecot 17328 0.0 0.1 21284 12276 - I 02:05 0:00.01
> auth: [0 wait, 0 passdb, 0 userdb] (auth)
> ======================================
> # syslog-ng -s
> # echo $?
> 0
> ======================================
>
> I'm getting logs from dovecot program to /var/log/all.log but not
> /var/log/maillog-mda . As I mentioned before it was working on previous
> version of syslog-ng .
> Does anybody have this issue? Just me, lucky?
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190320/27177ffd/attachment.html>
More information about the syslog-ng
mailing list