[syslog-ng] [*SP4M*] Re: What am I doing wrong? (solved)
Dan Egli
dan at newideatest.site
Wed Dec 16 17:24:18 UTC 2020
Okay, now I'm starting to get where I want. Only dhcpd messages are
going to dhcpd.log, which is great. BUT they are also going to
/var/log/messages, despite my attempts to block that. I have dhcpd set
to log to the local7 facility, and I have StandardOut and StandardError
set to null in my systemd service. So why is it all going to BOTH
places? What do I need to do in order to ensure that logging info for
dhcpd goes ONLY to dhcpd.log and not to messages as well?
On 12/16/2020 4:19 AM, Balazs Scheidler wrote:
> The elements in the log destination are processed in order. So you
> have to insert the filter reference between the source and the
> destination, and not after the destination.
>
> This is to allow you to list multiple destinations, potentially
> applying different filters/parsers and other processing elements.
>
> On Wed, Dec 16, 2020, 07:58 Dan Egli <dan at newideatest.site> wrote:
>
> Sorry, I should have said I THOUGHT it was working good. It loads
> cleanly, and I have systemd set to forward it's journal to the
> syslog, so syslog-ng is getting plenty of info to log. The problem
> is that it's not listening to my filter. I specifically have two
> filters. One to say only what came in in local7, and the other is
> everything BUT what came in on local7. Yet when I started
> syslog-ng I get IDENTICAL content to both files. In fact, I did a
> quick test. rm messages dhcpd.log && systemctl restart
> syslog-ng at default. Then I ran a cmp on dhcpd.log and messages, and
> they came back identical. So why is all this stuff being written
> to the wrong files? Here's my syslog-ng.conf file. Perhaps I did
> something wrong?
>
> options {
> threaded(yes);
> chain_hostnames(no);
> stats_freq(43200);
> mark_freq(3600);
> };
> filter dhcpfilter { facility(local7) };
> filter nondhcp { not filter(dhcpfilter) };
> source src { system(); internal(); };
> destination messages { file("/var/log/messages"); };
> destination dhcplog { file("/var/log/dhcpd.log"); };
> destination console_all { file("/dev/tty12"); };
> log { source(src); destination(messages); filter(nondhcp); };
> log { source(src); destination(console_all); };
> log { source(src); destination(dhcplog); filter(dhcpfilter); };
>
>
> Notice in the first log line the mention of filter(nondhcp) - i.e.
> messages NOT from dhcpd, and on the 3rd log line there is
> filter(dhcpfilter) which should be only what comes across on
> local7. So why am I getting systemd messages and syslog-ng
> messages and what not in my dhcpd.log file?
>
>
>
> On 12/15/2020 11:14 PM, Dan Egli wrote:
>>
>> syslog.local7 is a reference mnemonic of mine, sorry. It refers
>> to the local7 facility in syslog. And by saying the not should be
>> lowercase that fixed everything. I don't know why the examples
>> show it in uppercase, but thank you very much!
>>
>> On 12/15/2020 11:09 PM, Balazs Scheidler wrote:
>>>
>>>
>>> On Wed, Dec 16, 2020, 06:04 Dan Egli <dan at newideatest.site>
>>> <mailto:dan at newideatest.site> wrote:
>>>
>>> Help me understand this, please? I have ISC dhcpd
>>> configured to log to
>>> syslog.local7 (since I don't see an option to force it into
>>> it's own log
>>> file).
>>>
>>>
>>> Hmm syslog.local7 doesn't seem to be a facility.severity pair.
>>>
>>> Both syslog and localX are facility codes, so either syslog or
>>> localX.
>>>
>>> Syslog is normally reserved for the syslog subsystem, so I
>>> wouldn't use that for dhcpd.
>>>
>>> Also, logging and filtering based on facility codes alone is not
>>> really flexible, as facility codes were not kept up with changes
>>> of the underlying system. There are dedicated codes for legacy
>>> stuff like "news" which people rarely use, but lack newer stuff
>>> like kafka or docker.
>>>
>>> So in most cases, I see people use the PROGRAM field, or even
>>> the IP address of devices to classify log messages.
>>>
>>> Still, in your use case the current set of facility codes could
>>> be just fine.
>>>
>>> So I went into my syslog-ng file and created two filters, just
>>> like on the example page of syslog-ng.com
>>> <http://syslog-ng.com>:
>>>
>>> filter dhcpmsgs { facility(23) );
>>>
>>>
>>> This would filter on facility code 23, each facility is mapped
>>> to a numeric code, I can't remember what is 23, but you can
>>> check rfc3164 for the exact assignment.
>>>
>>> filter non_dhcp { NOT filter(dhcpmsgs) );
>>>
>>>
>>> Negation should be lower case, e.g. "not"
>>> The closing paren should be a closing brace (e.g. "}")
>>>
>>>
>>>
>>> I quoted almost directly from the example page on
>>> syslog-ng.com <http://syslog-ng.com>, but I
>>> keep getting this error when I reload syslog-ng's config:
>>> Error parsing filter expression, filter plugin NOT not found
>>> OR you may
>>> not used double quotes in your filter expression in
>>> /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>>>
>>> What did I do wrong? Here's the lines I modified from the
>>> syslog-ng page:
>>> filter demo_filter { host("example") and match("deny"
>>> value("MESSAGE")) };
>>> filter inverted_demo_filter { NOT filter(demo_filter) }
>>>
>>> You can see the page at:
>>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
>>> <https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53>
>>>
>>>
>>>
>>> --
>>> Dan Egli
>>> From my Test Server
>>>
>>> ______________________________________________________________________________
>>> Member info:
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
>>>
>> --
>> Dan Egli
>> From my Test Server
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
>>
> --
> Dan Egli
> From my Test Server
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
--
Dan Egli
From my Test Server
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201216/415bca42/attachment.html>
More information about the syslog-ng
mailing list