[syslog-ng] What am I doing wrong? (solved)

Balazs Scheidler bazsi77 at gmail.com
Wed Dec 16 11:19:28 UTC 2020


The elements in the log destination are processed in order. So you have to
insert the filter reference between the source and the destination, and not
after the destination.

This is to allow you to list multiple destinations, potentially applying
different filters/parsers and other processing elements.

On Wed, Dec 16, 2020, 07:58 Dan Egli <dan at newideatest.site> wrote:

> Sorry, I should have said I THOUGHT it was working good. It loads cleanly,
> and I have systemd set to forward it's journal to the syslog, so syslog-ng
> is getting plenty of info to log. The problem is that it's not listening to
> my filter. I specifically have two filters. One to say only what came in in
> local7, and the other is everything BUT what came in on local7.  Yet when I
> started syslog-ng I get IDENTICAL content to both files. In fact, I did a
> quick test. rm messages dhcpd.log && systemctl restart syslog-ng at default.
> Then I ran a cmp on dhcpd.log and messages, and they came back identical.
> So why is all this stuff being written to the wrong files? Here's my
> syslog-ng.conf file. Perhaps I did something wrong?
>
> options {
>         threaded(yes);
>         chain_hostnames(no);
>         stats_freq(43200);
>         mark_freq(3600);
> };
> filter dhcpfilter { facility(local7) };
> filter nondhcp { not filter(dhcpfilter) };
> source src { system(); internal(); };
> destination messages { file("/var/log/messages"); };
> destination dhcplog { file("/var/log/dhcpd.log");  };
> destination console_all { file("/dev/tty12"); };
> log { source(src); destination(messages); filter(nondhcp); };
> log { source(src); destination(console_all); };
> log { source(src); destination(dhcplog); filter(dhcpfilter); };
>
>
> Notice in the first log line the mention of filter(nondhcp) - i.e.
> messages NOT from dhcpd, and on the 3rd log line there is
> filter(dhcpfilter)  which should be only what comes across on local7. So
> why am I getting systemd messages and syslog-ng messages and what not in my
> dhcpd.log file?
>
>
>
> On 12/15/2020 11:14 PM, Dan Egli wrote:
>
> syslog.local7 is a reference mnemonic of mine, sorry. It refers to the
> local7 facility in syslog. And by saying the not should be lowercase that
> fixed everything. I don't know why the examples show it in uppercase, but
> thank you very much!
> On 12/15/2020 11:09 PM, Balazs Scheidler wrote:
>
>
>
> On Wed, Dec 16, 2020, 06:04 Dan Egli <dan at newideatest.site>
> <dan at newideatest.site> wrote:
>
>> Help me understand this, please?  I have ISC dhcpd configured to log to
>> syslog.local7 (since I don't see an option to force it into it's own log
>> file).
>
>
> Hmm syslog.local7 doesn't seem to be a facility.severity pair.
>
> Both syslog and localX are facility codes, so either syslog or localX.
>
> Syslog is normally reserved for the syslog subsystem, so I wouldn't use
> that for dhcpd.
>
> Also, logging and filtering based on facility codes alone is not really
> flexible, as facility codes were not kept up with changes of the underlying
> system. There are dedicated codes for legacy stuff like "news" which people
> rarely use, but lack newer stuff like kafka or docker.
>
> So in most cases, I see people use the PROGRAM field, or even the IP
> address of devices to classify log messages.
>
> Still, in your use case the current set of facility codes could be just
> fine.
>
> So I went into my syslog-ng file and created two filters, just
>> like on the example page of syslog-ng.com:
>>
>> filter dhcpmsgs { facility(23) );
>>
>
> This would filter on facility code 23, each facility is mapped to a
> numeric code, I can't remember what is 23, but you can check rfc3164 for
> the exact assignment.
>
> filter non_dhcp { NOT filter(dhcpmsgs) );
>>
>
> Negation should be lower case, e.g. "not"
> The closing paren should be a closing brace (e.g. "}")
>
>
>
>> I quoted almost directly from the example page on syslog-ng.com, but I
>> keep getting this error when I reload syslog-ng's config:
>> Error parsing filter expression, filter plugin NOT not found OR you may
>> not used double quotes in your filter expression in
>> /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>>
>> What did I do wrong? Here's the lines I modified from the syslog-ng page:
>> filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
>> filter inverted_demo_filter { NOT filter(demo_filter) }
>>
>> You can see the page at:
>>
>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
>>
>>
>> --
>> Dan Egli
>>  From my Test Server
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> --
> Dan Egli
> From my Test Server
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> --
> Dan Egli
> From my Test Server
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201216/564df1d6/attachment.html>


More information about the syslog-ng mailing list