[syslog-ng] Syslog-ng not honoring negative flag
Dan Egli
dan at newideatest.site
Wed Apr 7 06:40:57 UTC 2021
it's not just ssh. Samba messages are appearing in /var/log/messages
also. I just noticed that. But as to my ssh, the config file
specifically says to use facility auth and level info. I suppose I could
change it to program("sshd") or something, but since program("samba") is
also slipping through, then I'm not sure that is going to fix anything.
On 4/7/2021 12:38 AM, Balazs Scheidler wrote:
> Your ssh messages reads
>
> filter ssh_messages { facility("AUTH") and level("INFO"); };
>
> Are you sure all ssh related messages are logged at auth.info
> <http://auth.info>?
>
> Note that unlike syslogd level(info) will only match "info" exactly
> and not info and up. To match a range, you can use level (info..emerg)
>
> Also, why don't you just match on program name? E.g. program("sshd")
> or something?
>
> And one last note, once you deliver a message using flags(final) you
> won't need to negate the filter in subsequent log paths. Syslog-ng
> would simply stop processing at flags (final).
>
> On Wed, Apr 7, 2021, 08:06 Dan Egli <dan at newideatest.site> wrote:
>
> No joy. I tried swapping it different ways.
>
> filter -> source -> destination = combined
> source -> filter -> destination = combined
>
> Here's what my config looks like now, after the second variant:
>
> @version: 3.30
>
> @include "scl.conf"
>
> options {
> threaded(yes);
> chain_hostnames(no);
> stats_freq(43200);
> mark_freq(3600);
> };
>
> source src { system(); internal(); };
>
> filter samba { program("samba"); };
> filter ssh_messages { facility("AUTH") and level("INFO"); };
> filter syslog { not filter("ssh_messages") and not filter("samba"); };
>
> destination console { file("/dev/tty12"); };
> destination messages { file("/var/log/messages"); };
> destination sshd_log { file("/var/log/sshd/sshd.log"); };
> destination smb_logs { file("/var/log/samba/samba.log"); };
>
> log { source(src); filter(samba); destination(smb_logs);
> flags(final); );
> log { source(src); filter(ssh_messages); destination(sshd_log);
> flags(final); };
> log { source(src); filter(syslog); destination(console); };
> log { source(src); filter(syslog); destination(messages); };
>
>
> Still, sshd messages are appearing in /var/log/messages.
>
> On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
> > Hello,
> >
> > The order in the configuration matters.
> > log { source(src); destination(console); filter(syslog); };
> > The message flow is the following in your example source(src) ->
> destination(console) -> filter(syslog) -> void
> > The filter recieves messages only after destination, if you
> switch filter and destination it should be fine.
> >
> > --
> > kokan
> >
> > ________________________________________
> > From: syslog-ng <syslog-ng-bounces at lists.balabit.hu
> <mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Dan Egli
> <dan at newideatest.site>
> > Sent: 07 April 2021 07:17
> > To: syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu>
> > Subject: [syslog-ng] Syslog-ng not honoring negative flag
> >
> > CAUTION: This email originated from outside of the organization.
> Do not follow guidance, click links, or open attachments unless
> you recognize the sender and know the content is safe.
> >
> >
> > I'm having a bit of a problem and hope someone here can help.
> I'm trying
> > to separate individual items into specific logs, i.e. ssh events in
> > sshd.log, samba messages in samba.log, etc...
> >
> > I managed to come up with filters that pull out the events I started
> > with, and they are going into the correct log files. But they
> are ALSO
> > going into /var/log/messages even though I specifically have a
> filter on
> > that one that says not to include samba or sshd events. I'll copy my
> > config file here. Hopefully someone can tell me what I did wrong.
> >
> > Thanks!
> >
> > ---------------------------------------------
> > @version: 3.30
> >
> > @include "scl.conf"
> >
> > options {
> > threaded(yes);
> > chain_hostnames(no);
> > stats_freq(43200);
> > mark_freq(3600);
> > };
> >
> > source src { system(); internal(); };
> >
> > filter samba { program("samba"); };
> > filter ssh_messages { facility("AUTH") and level("INFO"); };
> > filter syslog { not filter("ssh_messages") and not
> filter("samba"); };
> >
> > destination console { file("/dev/tty12"); };
> > destination messages { file("/var/log/messages"); };
> > destination sshd_log { file("/var/log/sshd/sshd.log"); };
> > destination smb_logs { file("/var/log/samba/samba.log"); };
> >
> > log { source(src); destination(smb_logs); filter(samba);
> flags(final); );
> > log { source(src); destination(sshd_log); filter(ssh_messages);
> > flags(final); };
> > log { source(src); destination(console); filter(syslog); };
> > log { source(src); destination(messages); filter(syslog); };
> >
> >
> ______________________________________________________________________________
> > Member info:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0>
> > Documentation:
> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0>
> > FAQ:
> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0>
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210407/d93ff532/attachment-0001.html>
More information about the syslog-ng
mailing list