[syslog-ng] What am I doing wrong? (solved)

Dan Egli dan at newideatest.site
Wed Dec 16 06:58:22 UTC 2020 

Sorry, I should have said I THOUGHT it was working good. It loads 
cleanly, and I have systemd set to forward it's journal to the syslog, 
so syslog-ng is getting plenty of info to log. The problem is that it's 
not listening to my filter. I specifically have two filters. One to say 
only what came in in local7, and the other is everything BUT what came 
in on local7.  Yet when I started syslog-ng I get IDENTICAL content to 
both files. In fact, I did a quick test. rm messages dhcpd.log && 
systemctl restart syslog-ng at default. Then I ran a cmp on dhcpd.log and 
messages, and they came back identical. So why is all this stuff being 
written to the wrong files? Here's my syslog-ng.conf file. Perhaps I did 
something wrong?

options {
         threaded(yes);
         chain_hostnames(no);
         stats_freq(43200);
         mark_freq(3600);
};
filter dhcpfilter { facility(local7) };
filter nondhcp { not filter(dhcpfilter) };
source src { system(); internal(); };
destination messages { file("/var/log/messages"); };
destination dhcplog { file("/var/log/dhcpd.log");  };
destination console_all { file("/dev/tty12"); };
log { source(src); destination(messages); filter(nondhcp); };
log { source(src); destination(console_all); };
log { source(src); destination(dhcplog); filter(dhcpfilter); };


Notice in the first log line the mention of filter(nondhcp) - i.e. 
messages NOT from dhcpd, and on the 3rd log line there is 
filter(dhcpfilter)  which should be only what comes across on local7. So 
why am I getting systemd messages and syslog-ng messages and what not in 
my dhcpd.log file?



On 12/15/2020 11:14 PM, Dan Egli wrote:
>
> syslog.local7 is a reference mnemonic of mine, sorry. It refers to the 
> local7 facility in syslog. And by saying the not should be lowercase 
> that fixed everything. I don't know why the examples show it in 
> uppercase, but thank you very much!
>
> On 12/15/2020 11:09 PM, Balazs Scheidler wrote:
>>
>>
>> On Wed, Dec 16, 2020, 06:04 Dan Egli <dan at newideatest.site> wrote:
>>
>>     Help me understand this, please?  I have ISC dhcpd configured to
>>     log to
>>     syslog.local7 (since I don't see an option to force it into it's
>>     own log
>>     file).
>>
>>
>> Hmm syslog.local7 doesn't seem to be a facility.severity pair.
>>
>> Both syslog and localX are facility codes, so either syslog or localX.
>>
>> Syslog is normally reserved for the syslog subsystem, so I wouldn't 
>> use that for dhcpd.
>>
>> Also, logging and filtering based on facility codes alone is not 
>> really flexible, as facility codes were not kept up with changes of 
>> the underlying system. There are dedicated codes for legacy stuff 
>> like "news" which people rarely use, but lack newer stuff like kafka 
>> or docker.
>>
>> So in most cases, I see people use the PROGRAM field, or even the IP 
>> address of devices to classify log messages.
>>
>> Still, in your use case the current set of facility codes could be 
>> just fine.
>>
>>     So I went into my syslog-ng file and created two filters, just
>>     like on the example page of syslog-ng.com <http://syslog-ng.com>:
>>
>>     filter dhcpmsgs { facility(23) );
>>
>>
>> This would filter on facility code 23, each facility is mapped to a 
>> numeric code, I can't remember what is 23, but you can check rfc3164 
>> for the exact assignment.
>>
>>     filter non_dhcp { NOT filter(dhcpmsgs) );
>>
>>
>> Negation should be lower case, e.g. "not"
>> The closing paren should be a closing brace (e.g. "}")
>>
>>
>>
>>     I quoted almost directly from the example page on syslog-ng.com
>>     <http://syslog-ng.com>, but I
>>     keep getting this error when I reload syslog-ng's config:
>>     Error parsing filter expression, filter plugin NOT not found OR
>>     you may
>>     not used double quotes in your filter expression in
>>     /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>>
>>     What did I do wrong? Here's the lines I modified from the
>>     syslog-ng page:
>>     filter demo_filter { host("example") and match("deny"
>>     value("MESSAGE")) };
>>     filter inverted_demo_filter { NOT filter(demo_filter) }
>>
>>     You can see the page at:
>>     https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
>>     <https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53>
>>
>>
>>
>>     -- 
>>     Dan Egli
>>      From my Test Server
>>
>>     ______________________________________________________________________________
>>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>     <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>     Documentation:
>>     http://www.balabit.com/support/documentation/?product=syslog-ng
>>     <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>     <http://www.balabit.com/wiki/syslog-ng-faq>
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
> -- 
> Dan Egli
>  From my Test Server
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-- 
Dan Egli
 From my Test Server

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201215/2996c091/attachment-0001.html>

More information about the syslog-ng mailing list