[syslog-ng] Syslog-ng not honoring negative flag

Dan Egli dan at newideatest.site
Wed Apr 7 06:05:01 UTC 2021 

No joy. I tried swapping it different ways.

filter -> source -> destination = combined
source -> filter -> destination = combined

Here's what my config looks like now, after the second variant:

@version: 3.30

@include "scl.conf"

options {
     threaded(yes);
     chain_hostnames(no);
     stats_freq(43200);
     mark_freq(3600);
};

source src { system(); internal(); };

filter samba { program("samba"); };
filter ssh_messages { facility("AUTH") and level("INFO"); };
filter syslog { not filter("ssh_messages") and not filter("samba"); };

destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };
destination smb_logs { file("/var/log/samba/samba.log"); };

log { source(src); filter(samba); destination(smb_logs); flags(final); );
log { source(src); filter(ssh_messages); destination(sshd_log); 
flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };


Still, sshd messages are appearing in /var/log/messages.

On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
> Hello,
>
> The order in the configuration matters.
> log { source(src); destination(console); filter(syslog); };
> The message flow is the following in your example source(src) -> destination(console) -> filter(syslog) -> void
> The filter recieves messages only after destination, if you switch filter and destination it should be fine.
>
> --
> kokan
>
> ________________________________________
> From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Dan Egli <dan at newideatest.site>
> Sent: 07 April 2021 07:17
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] Syslog-ng not honoring negative flag
>
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>
>
> I'm having a bit of a problem and hope someone here can help. I'm trying
> to separate individual items into specific logs, i.e. ssh events in
> sshd.log, samba messages in samba.log, etc...
>
> I managed to come up with filters that pull out the events I started
> with, and they are going into the correct log files. But they are ALSO
> going into /var/log/messages even though I specifically have a filter on
> that one that says not to include samba or sshd events. I'll copy my
> config file here. Hopefully someone can tell me what I did wrong.
>
> Thanks!
>
> ---------------------------------------------
> @version: 3.30
>
> @include "scl.conf"
>
> options {
>       threaded(yes);
>       chain_hostnames(no);
>       stats_freq(43200);
>       mark_freq(3600);
> };
>
> source src { system(); internal(); };
>
> filter samba { program("samba"); };
> filter ssh_messages { facility("AUTH") and level("INFO"); };
> filter syslog { not filter("ssh_messages") and not filter("samba"); };
>
> destination console { file("/dev/tty12"); };
> destination messages { file("/var/log/messages"); };
> destination sshd_log { file("/var/log/sshd/sshd.log"); };
> destination smb_logs { file("/var/log/samba/samba.log"); };
>
> log { source(src); destination(smb_logs); filter(samba); flags(final); );
> log { source(src); destination(sshd_log); filter(ssh_messages);
> flags(final); };
> log { source(src); destination(console); filter(syslog); };
> log { source(src); destination(messages); filter(syslog); };
>
> ______________________________________________________________________________
> Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0
> Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0
> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list