[syslog-ng] [*SP4M*] Re: What am I doing wrong? (solved)
Balazs Scheidler
bazsi77 at gmail.com
Wed Dec 16 19:22:51 UTC 2020
Log statements are inclusive by default, e.g. all of the process all of its
inputs.
You can use flags(final) in a log statement to stop further processing of
the message in the following log statements.
On Wed, Dec 16, 2020, 18:25 Dan Egli <dan at newideatest.site> wrote:
> Okay, now I'm starting to get where I want. Only dhcpd messages are going
> to dhcpd.log, which is great. BUT they are also going to /var/log/messages,
> despite my attempts to block that. I have dhcpd set to log to the local7
> facility, and I have StandardOut and StandardError set to null in my
> systemd service. So why is it all going to BOTH places? What do I need to
> do in order to ensure that logging info for dhcpd goes ONLY to dhcpd.log
> and not to messages as well?
> On 12/16/2020 4:19 AM, Balazs Scheidler wrote:
>
> The elements in the log destination are processed in order. So you have to
> insert the filter reference between the source and the destination, and not
> after the destination.
>
> This is to allow you to list multiple destinations, potentially applying
> different filters/parsers and other processing elements.
>
> On Wed, Dec 16, 2020, 07:58 Dan Egli <dan at newideatest.site>
> <dan at newideatest.site> wrote:
>
>> Sorry, I should have said I THOUGHT it was working good. It loads
>> cleanly, and I have systemd set to forward it's journal to the syslog, so
>> syslog-ng is getting plenty of info to log. The problem is that it's not
>> listening to my filter. I specifically have two filters. One to say only
>> what came in in local7, and the other is everything BUT what came in on
>> local7. Yet when I started syslog-ng I get IDENTICAL content to both
>> files. In fact, I did a quick test. rm messages dhcpd.log && systemctl
>> restart syslog-ng at default. Then I ran a cmp on dhcpd.log and messages,
>> and they came back identical. So why is all this stuff being written to the
>> wrong files? Here's my syslog-ng.conf file. Perhaps I did something wrong?
>>
>> options {
>> threaded(yes);
>> chain_hostnames(no);
>> stats_freq(43200);
>> mark_freq(3600);
>> };
>> filter dhcpfilter { facility(local7) };
>> filter nondhcp { not filter(dhcpfilter) };
>> source src { system(); internal(); };
>> destination messages { file("/var/log/messages"); };
>> destination dhcplog { file("/var/log/dhcpd.log"); };
>> destination console_all { file("/dev/tty12"); };
>> log { source(src); destination(messages); filter(nondhcp); };
>> log { source(src); destination(console_all); };
>> log { source(src); destination(dhcplog); filter(dhcpfilter); };
>>
>>
>> Notice in the first log line the mention of filter(nondhcp) - i.e.
>> messages NOT from dhcpd, and on the 3rd log line there is
>> filter(dhcpfilter) which should be only what comes across on local7. So
>> why am I getting systemd messages and syslog-ng messages and what not in my
>> dhcpd.log file?
>>
>>
>>
>> On 12/15/2020 11:14 PM, Dan Egli wrote:
>>
>> syslog.local7 is a reference mnemonic of mine, sorry. It refers to the
>> local7 facility in syslog. And by saying the not should be lowercase that
>> fixed everything. I don't know why the examples show it in uppercase, but
>> thank you very much!
>> On 12/15/2020 11:09 PM, Balazs Scheidler wrote:
>>
>>
>>
>> On Wed, Dec 16, 2020, 06:04 Dan Egli <dan at newideatest.site>
>> <dan at newideatest.site> wrote:
>>
>>> Help me understand this, please? I have ISC dhcpd configured to log to
>>> syslog.local7 (since I don't see an option to force it into it's own log
>>> file).
>>
>>
>> Hmm syslog.local7 doesn't seem to be a facility.severity pair.
>>
>> Both syslog and localX are facility codes, so either syslog or localX.
>>
>> Syslog is normally reserved for the syslog subsystem, so I wouldn't use
>> that for dhcpd.
>>
>> Also, logging and filtering based on facility codes alone is not really
>> flexible, as facility codes were not kept up with changes of the underlying
>> system. There are dedicated codes for legacy stuff like "news" which people
>> rarely use, but lack newer stuff like kafka or docker.
>>
>> So in most cases, I see people use the PROGRAM field, or even the IP
>> address of devices to classify log messages.
>>
>> Still, in your use case the current set of facility codes could be just
>> fine.
>>
>> So I went into my syslog-ng file and created two filters, just
>>> like on the example page of syslog-ng.com:
>>>
>>> filter dhcpmsgs { facility(23) );
>>>
>>
>> This would filter on facility code 23, each facility is mapped to a
>> numeric code, I can't remember what is 23, but you can check rfc3164 for
>> the exact assignment.
>>
>> filter non_dhcp { NOT filter(dhcpmsgs) );
>>>
>>
>> Negation should be lower case, e.g. "not"
>> The closing paren should be a closing brace (e.g. "}")
>>
>>
>>
>>> I quoted almost directly from the example page on syslog-ng.com, but I
>>> keep getting this error when I reload syslog-ng's config:
>>> Error parsing filter expression, filter plugin NOT not found OR you may
>>> not used double quotes in your filter expression in
>>> /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>>>
>>> What did I do wrong? Here's the lines I modified from the syslog-ng page:
>>> filter demo_filter { host("example") and match("deny" value("MESSAGE"))
>>> };
>>> filter inverted_demo_filter { NOT filter(demo_filter) }
>>>
>>> You can see the page at:
>>>
>>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
>>>
>>>
>>> --
>>> Dan Egli
>>> From my Test Server
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> --
>> Dan Egli
>> From my Test Server
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> --
>> Dan Egli
>> From my Test Server
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> --
> Dan Egli
> From my Test Server
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201216/a4e15008/attachment-0001.html>
More information about the syslog-ng
mailing list