[syslog-ng] What am I doing wrong? (solved)
Dan Egli
dan at newideatest.site
Wed Dec 16 06:14:55 UTC 2020
syslog.local7 is a reference mnemonic of mine, sorry. It refers to the
local7 facility in syslog. And by saying the not should be lowercase
that fixed everything. I don't know why the examples show it in
uppercase, but thank you very much!
On 12/15/2020 11:09 PM, Balazs Scheidler wrote:
>
>
> On Wed, Dec 16, 2020, 06:04 Dan Egli <dan at newideatest.site> wrote:
>
> Help me understand this, please? I have ISC dhcpd configured to
> log to
> syslog.local7 (since I don't see an option to force it into it's
> own log
> file).
>
>
> Hmm syslog.local7 doesn't seem to be a facility.severity pair.
>
> Both syslog and localX are facility codes, so either syslog or localX.
>
> Syslog is normally reserved for the syslog subsystem, so I wouldn't
> use that for dhcpd.
>
> Also, logging and filtering based on facility codes alone is not
> really flexible, as facility codes were not kept up with changes of
> the underlying system. There are dedicated codes for legacy stuff like
> "news" which people rarely use, but lack newer stuff like kafka or docker.
>
> So in most cases, I see people use the PROGRAM field, or even the IP
> address of devices to classify log messages.
>
> Still, in your use case the current set of facility codes could be
> just fine.
>
> So I went into my syslog-ng file and created two filters, just
> like on the example page of syslog-ng.com <http://syslog-ng.com>:
>
> filter dhcpmsgs { facility(23) );
>
>
> This would filter on facility code 23, each facility is mapped to a
> numeric code, I can't remember what is 23, but you can check rfc3164
> for the exact assignment.
>
> filter non_dhcp { NOT filter(dhcpmsgs) );
>
>
> Negation should be lower case, e.g. "not"
> The closing paren should be a closing brace (e.g. "}")
>
>
>
> I quoted almost directly from the example page on syslog-ng.com
> <http://syslog-ng.com>, but I
> keep getting this error when I reload syslog-ng's config:
> Error parsing filter expression, filter plugin NOT not found OR
> you may
> not used double quotes in your filter expression in
> /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>
> What did I do wrong? Here's the lines I modified from the
> syslog-ng page:
> filter demo_filter { host("example") and match("deny"
> value("MESSAGE")) };
> filter inverted_demo_filter { NOT filter(demo_filter) }
>
> You can see the page at:
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
> <https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53>
>
>
>
> --
> Dan Egli
> From my Test Server
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
--
Dan Egli
From my Test Server
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201215/5c70e8fe/attachment.html>
More information about the syslog-ng
mailing list