[syslog-ng] Syslog-ng not honoring negative flag

Balazs Scheidler bazsi77 at gmail.com
Wed Apr 7 10:51:24 UTC 2021 

can you start syslog-ng in the foreground and look at the startup messages?

e.g. stop the background process (via systemd or your init system), and run
syslog-ng from a root prompt:

# /usr/sbin/syslog-ng -Fedv

This should start syslog-ng in the foreground (-F), direct internal
messages to stderr (-e), and enable debug/verbose messages. Then look at
the messages to see if syslog-ng is complaining about your configuration or
not.

Cheers,
Bazsi


On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan at newideatest.site> wrote:

> Don't know how that slipped in there. And syslog-ng never mentioned it.
> It's fixed now, and the behavior is unchanged. sshd messages still appear
> in /var/log/messages.
>
>
> On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
>
>
>
> On Wed, Apr 7, 2021, 08:06 Dan Egli <dan at newideatest.site>
> <dan at newideatest.site> wrote:
>
>> No joy. I tried swapping it different ways.
>>
>> filter -> source -> destination = combined
>> source -> filter -> destination = combined
>>
>> Here's what my config looks like now, after the second variant:
>>
>> @version: 3.30
>>
>> @include "scl.conf"
>>
>> options {
>>      threaded(yes);
>>      chain_hostnames(no);
>>      stats_freq(43200);
>>      mark_freq(3600);
>> };
>>
>> source src { system(); internal(); };
>>
>> filter samba { program("samba"); };
>> filter ssh_messages { facility("AUTH") and level("INFO"); };
>> filter syslog { not filter("ssh_messages") and not filter("samba"); };
>>
>> destination console { file("/dev/tty12"); };
>> destination messages { file("/var/log/messages"); };
>> destination sshd_log { file("/var/log/sshd/sshd.log"); };
>> destination smb_logs { file("/var/log/samba/samba.log"); };
>>
>> log { source(src); filter(samba); destination(smb_logs); flags(final); );
>>
>
> You are using a closing paren instead of a brace. This config has a syntax
> error. Possibly syslog-ng falled back to the original config, once it
> reported a syntax error.
>
>
> log { source(src); filter(ssh_messages); destination(sshd_log);
>> flags(final); };
>> log { source(src); filter(syslog); destination(console); };
>> log { source(src); filter(syslog); destination(messages); };
>>
>>
>> Still, sshd messages are appearing in /var/log/messages.
>>
>> On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
>> > Hello,
>> >
>> > The order in the configuration matters.
>> > log { source(src); destination(console); filter(syslog); };
>> > The message flow is the following in your example source(src) ->
>> destination(console) -> filter(syslog) -> void
>> > The filter recieves messages only after destination, if you switch
>> filter and destination it should be fine.
>> >
>> > --
>> > kokan
>> >
>> > ________________________________________
>> > From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Dan
>> Egli <dan at newideatest.site> <dan at newideatest.site>
>> > Sent: 07 April 2021 07:17
>> > To: syslog-ng at lists.balabit.hu
>> > Subject: [syslog-ng] Syslog-ng not honoring negative flag
>> >
>> > CAUTION: This email originated from outside of the organization. Do not
>> follow guidance, click links, or open attachments unless you recognize the
>> sender and know the content is safe.
>> >
>> >
>> > I'm having a bit of a problem and hope someone here can help. I'm trying
>> > to separate individual items into specific logs, i.e. ssh events in
>> > sshd.log, samba messages in samba.log, etc...
>> >
>> > I managed to come up with filters that pull out the events I started
>> > with, and they are going into the correct log files. But they are ALSO
>> > going into /var/log/messages even though I specifically have a filter on
>> > that one that says not to include samba or sshd events. I'll copy my
>> > config file here. Hopefully someone can tell me what I did wrong.
>> >
>> > Thanks!
>> >
>> > ---------------------------------------------
>> > @version: 3.30
>> >
>> > @include "scl.conf"
>> >
>> > options {
>> >       threaded(yes);
>> >       chain_hostnames(no);
>> >       stats_freq(43200);
>> >       mark_freq(3600);
>> > };
>> >
>> > source src { system(); internal(); };
>> >
>> > filter samba { program("samba"); };
>> > filter ssh_messages { facility("AUTH") and level("INFO"); };
>> > filter syslog { not filter("ssh_messages") and not filter("samba"); };
>> >
>> > destination console { file("/dev/tty12"); };
>> > destination messages { file("/var/log/messages"); };
>> > destination sshd_log { file("/var/log/sshd/sshd.log"); };
>> > destination smb_logs { file("/var/log/samba/samba.log"); };
>> >
>> > log { source(src); destination(smb_logs); filter(samba); flags(final);
>> );
>> > log { source(src); destination(sshd_log); filter(ssh_messages);
>> > flags(final); };
>> > log { source(src); destination(console); filter(syslog); };
>> > log { source(src); destination(messages); filter(syslog); };
>> >
>> >
>> ______________________________________________________________________________
>> > Member info:
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0
>> > Documentation:
>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0
>> > FAQ:
>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0
>> >
>> >
>> ______________________________________________________________________________
>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> >
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210407/e605fadb/attachment-0001.html>

More information about the syslog-ng mailing list