[syslog-ng] Syslog-ng not honoring negative flag

Dan Egli dan at newideatest.site
Wed Apr 7 06:40:57 UTC 2021


it's not just ssh. Samba messages are appearing in /var/log/messages 
also. I just noticed that. But as to my ssh, the config file 
specifically says to use facility auth and level info. I suppose I could 
change it to program("sshd") or something, but since program("samba") is 
also slipping through, then I'm not sure that is going to fix anything.

On 4/7/2021 12:38 AM, Balazs Scheidler wrote:
> Your ssh messages reads
>
> filter ssh_messages { facility("AUTH") and level("INFO"); };
>
> Are you sure all ssh related messages are logged at auth.info 
> <http://auth.info>?
>
> Note that unlike syslogd level(info) will only match "info" exactly 
> and not info and up. To match a range, you can use level (info..emerg)
>
> Also, why don't you just match on program name? E.g. program("sshd") 
> or something?
>
> And one last note, once you deliver a message using flags(final) you 
> won't need to negate the filter in subsequent log paths. Syslog-ng 
> would simply stop processing at flags (final).
>
> On Wed, Apr 7, 2021, 08:06 Dan Egli <dan at newideatest.site> wrote:
>
>     No joy. I tried swapping it different ways.
>
>     filter -> source -> destination = combined
>     source -> filter -> destination = combined
>
>     Here's what my config looks like now, after the second variant:
>
>     @version: 3.30
>
>     @include "scl.conf"
>
>     options {
>          threaded(yes);
>          chain_hostnames(no);
>          stats_freq(43200);
>          mark_freq(3600);
>     };
>
>     source src { system(); internal(); };
>
>     filter samba { program("samba"); };
>     filter ssh_messages { facility("AUTH") and level("INFO"); };
>     filter syslog { not filter("ssh_messages") and not filter("samba"); };
>
>     destination console { file("/dev/tty12"); };
>     destination messages { file("/var/log/messages"); };
>     destination sshd_log { file("/var/log/sshd/sshd.log"); };
>     destination smb_logs { file("/var/log/samba/samba.log"); };
>
>     log { source(src); filter(samba); destination(smb_logs);
>     flags(final); );
>     log { source(src); filter(ssh_messages); destination(sshd_log);
>     flags(final); };
>     log { source(src); filter(syslog); destination(console); };
>     log { source(src); filter(syslog); destination(messages); };
>
>
>     Still, sshd messages are appearing in /var/log/messages.
>
>     On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
>     > Hello,
>     >
>     > The order in the configuration matters.
>     > log { source(src); destination(console); filter(syslog); };
>     > The message flow is the following in your example source(src) ->
>     destination(console) -> filter(syslog) -> void
>     > The filter recieves messages only after destination, if you
>     switch filter and destination it should be fine.
>     >
>     > --
>     > kokan
>     >
>     > ________________________________________
>     > From: syslog-ng <syslog-ng-bounces at lists.balabit.hu
>     <mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Dan Egli
>     <dan at newideatest.site>
>     > Sent: 07 April 2021 07:17
>     > To: syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu>
>     > Subject: [syslog-ng] Syslog-ng not honoring negative flag
>     >
>     > CAUTION: This email originated from outside of the organization.
>     Do not follow guidance, click links, or open attachments unless
>     you recognize the sender and know the content is safe.
>     >
>     >
>     > I'm having a bit of a problem and hope someone here can help.
>     I'm trying
>     > to separate individual items into specific logs, i.e. ssh events in
>     > sshd.log, samba messages in samba.log, etc...
>     >
>     > I managed to come up with filters that pull out the events I started
>     > with, and they are going into the correct log files. But they
>     are ALSO
>     > going into /var/log/messages even though I specifically have a
>     filter on
>     > that one that says not to include samba or sshd events. I'll copy my
>     > config file here. Hopefully someone can tell me what I did wrong.
>     >
>     > Thanks!
>     >
>     > ---------------------------------------------
>     > @version: 3.30
>     >
>     > @include "scl.conf"
>     >
>     > options {
>     >       threaded(yes);
>     >       chain_hostnames(no);
>     >       stats_freq(43200);
>     >       mark_freq(3600);
>     > };
>     >
>     > source src { system(); internal(); };
>     >
>     > filter samba { program("samba"); };
>     > filter ssh_messages { facility("AUTH") and level("INFO"); };
>     > filter syslog { not filter("ssh_messages") and not
>     filter("samba"); };
>     >
>     > destination console { file("/dev/tty12"); };
>     > destination messages { file("/var/log/messages"); };
>     > destination sshd_log { file("/var/log/sshd/sshd.log"); };
>     > destination smb_logs { file("/var/log/samba/samba.log"); };
>     >
>     > log { source(src); destination(smb_logs); filter(samba);
>     flags(final); );
>     > log { source(src); destination(sshd_log); filter(ssh_messages);
>     > flags(final); };
>     > log { source(src); destination(console); filter(syslog); };
>     > log { source(src); destination(messages); filter(syslog); };
>     >
>     >
>     ______________________________________________________________________________
>     > Member info:
>     https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0
>     <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0>
>     > Documentation:
>     https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0
>     <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0>
>     > FAQ:
>     https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
>     <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0>
>     >
>     >
>     ______________________________________________________________________________
>     > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>     > Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     <http://www.balabit.com/support/documentation/?product=syslog-ng>
>     > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>     <http://www.balabit.com/wiki/syslog-ng-faq>
>     >
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>     Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     <http://www.balabit.com/support/documentation/?product=syslog-ng>
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>     <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210407/d93ff532/attachment-0001.html>


More information about the syslog-ng mailing list