[syslog-ng] Syslog-ng not honoring negative flag

Dan Egli dan at newideatest.site
Thu Apr 8 01:23:49 UTC 2021


Looks like there's a bug in the lastest version of Thunderbird or 
something, because I see three messages that are incomplete copies of 
what I am about to send. I will look further into that while I wait for 
more advice from you guys.

On 4/7/2021 7:19 PM, Dan Egli wrote:
>
> Those are the only ones I'm seeing in either log. Let me test it a 
> bit, see if startup/shutdown messages occur too.
>
> Not only that, I am seeing samba messages in the sshd log, and I 
> should not. When I do lsof, it seems the samba daemon is writing it's 
> own logs, so it's not surprising that there's no errors in that log. 
> But why am I seeing samba messages in sshd.log, and why am I seeing 
> samba and sshd in /var/log/messages.
>
> And if what you say about the security/auth is correct, then something 
> else is screwy here because I ONLY have auth/info listed. NOT 
> authpriv. Frankly, i'd say that it sounds like I need to just change 
> to program("sshd") but I'm not sure if that will fix anything. I'll do 
> that, just to see.
>
> On 4/7/2021 12:48 PM, SZALAY Attila wrote:
>> Hi Dan,
>>
>> The next important question is that do you see all sshd log messages 
>> in /var/log/messages or just some of them. I see two kind of sshd 
>> related log message:
>>
>> [2021-04-07T12:29:43.875056] Incoming log entry; line='<38>Apr 7 
>> 12:29:43 sshd[30745]: Accepted keyboard-interactive/pam for dan from 
>> XXXX port 40747 ssh2'
>> [2021-04-07T12:29:43.878136] Incoming log entry; line='<86>Apr 7 
>> 12:29:43 sshd[30745]: pam_unix(sshd:session): session opened for user 
>> dan(uid=1001) by (uid=0)'
>>
>> As the two has different values in <>, at least one of them is differ 
>> from auth/info.
>>
>> By the way <38> is security(4)/info and <86> is security(10)/info. So 
>> both are security/auth message in some way but still different 
>> facilities (4 and 6) which is called as auth(4) and authpriv(10) 
>> within syslog-ng.
>>
>> On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:
>>> Okay. I captured a couple of minutes worth of syslog-ng running. 
>>> It's too big to post (1.5MB) so I put it up on my web server. You 
>>> can see it at: https://www.newideatest.site/syslog-out
>>> On 4/7/2021 12:07 PM, SZIGETVÁRI János wrote:
>>> Hello Dan,
>>>
>>> I believe that Bazsi (Balázs) wasn't really looking for the startup 
>>> messages about the config being parsed, but instead about the 
>>> debug/trace output of the log processing pipeline.
>>> There he would be able to check which filters were run against a 
>>> certain message (its actual content too), and what result those 
>>> filters returned.
>>> I think that's what he's primarily after.
>>>
>>> Best Regards,
>>> János
>>> --
>>> Janos SZIGETVARI
>>> RHCE, License no. 150-053-692 
>>> <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
>>>
>>> LinkedIn: linkedin.com/in/janosszigetvari 
>>> <http://linkedin.com/in/janosszigetvari>
>>> Web: janos.szigetvari.com <https://janos.szigetvari.com>
>>>
>>> __ at __˚V˚
>>> Make the switch to open (source) applications, protocols, formats now:
>>> - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
>>> - msn -> jabber protocol (Pidgin, Google Talk)
>>> - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
>>>
>>>
>>> Dan Egli <dan at newideatest.site> ezt írta (időpont: 2021. ápr. 7., 
>>> Sze, 20:02):
>>>
>>>> Syslog-ng is NOT complaining about my config at all. I've included 
>>>> the output from the -Fedv below. Other than what I would call 
>>>> "routine" errors in the scl section, no complaints.
>>>>
>>>> ---------------------------------
>>>> [2021-04-07T11:52:21.151347] Processing @include statement; 
>>>> filename='scl.conf', 
>>>> include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
>>>> [2021-04-07T11:52:21.151420] Starting to read include file; 
>>>> filename='/etc/syslog-ng/scl.conf', depth='1'
>>>> [2021-04-07T11:52:21.151596] Module loaded and initialized 
>>>> successfully; module='appmodel'
>>>> [2021-04-07T11:52:21.151612] Processing @include statement; 
>>>> filename='scl/*/*.conf', 
>>>> include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
>>>> [2021-04-07T11:52:21.151782] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151787] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151790] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151792] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151794] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151797] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151799] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.151802] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151804] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151807] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151809] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.151811] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151814] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151816] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.151819] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151821] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151824] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151826] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151906] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151912] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.151915] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151917] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151920] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151922] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151925] Adding include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151933] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151993] Reading path for candidate modules; 
>>>> path='/usr/lib64/syslog-ng'
>>>> [2021-04-07T11:52:21.152064] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml'
>>>> [2021-04-07T11:52:21.152174] Registering candidate plugin; 
>>>> module='xml', context='parser', name='xml'
>>>> [2021-04-07T11:52:21.152200] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so', 
>>>> module='tags-parser'
>>>> [2021-04-07T11:52:21.152263] Registering candidate plugin; 
>>>> module='tags-parser', context='parser', name='tags-parser'
>>>> [2021-04-07T11:52:21.152277] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so', 
>>>> module='system-source'
>>>> [2021-04-07T11:52:21.152336] Registering candidate plugin; 
>>>> module='system-source', context='source', name='system'
>>>> [2021-04-07T11:52:21.152349] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so', 
>>>> module='syslogformat'
>>>> [2021-04-07T11:52:21.152414] Registering candidate plugin; 
>>>> module='syslogformat', context='format', name='syslog'
>>>> [2021-04-07T11:52:21.152417] Registering candidate plugin; 
>>>> module='syslogformat', context='parser', name='syslog-parser'
>>>> [2021-04-07T11:52:21.152428] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libstardate.so', 
>>>> module='stardate'
>>>> [2021-04-07T11:52:21.152619] Registering candidate plugin; 
>>>> module='stardate', context='template-func', name='stardate'
>>>> [2021-04-07T11:52:21.152661] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so', 
>>>> module='secure-logging'
>>>> [2021-04-07T11:52:21.152746] Registering candidate plugin; 
>>>> module='secure-logging', context='template-func', name='slog'
>>>> [2021-04-07T11:52:21.152760] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so', 
>>>> module='pseudofile'
>>>> [2021-04-07T11:52:21.152832] Registering candidate plugin; 
>>>> module='pseudofile', context='destination', name='pseudofile'
>>>> [2021-04-07T11:52:21.152904] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so', 
>>>> module='map-value-pairs'
>>>> [2021-04-07T11:52:21.152989] Registering candidate plugin; 
>>>> module='map-value-pairs', context='parser', name='map_value_pairs'
>>>> [2021-04-07T11:52:21.153005] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', 
>>>> fname='liblinux-kmsg-format.so', module='linux-kmsg-format'
>>>> [2021-04-07T11:52:21.153170] Registering candidate plugin; 
>>>> module='linux-kmsg-format', context='format', name='linux-kmsg'
>>>> [2021-04-07T11:52:21.153191] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libkvformat.so', 
>>>> module='kvformat'
>>>> [2021-04-07T11:52:21.153261] Registering candidate plugin; 
>>>> module='kvformat', context='parser', name='kv-parser'
>>>> [2021-04-07T11:52:21.153265] Registering candidate plugin; 
>>>> module='kvformat', context='parser', name='linux-audit-parser'
>>>> [2021-04-07T11:52:21.153268] Registering candidate plugin; 
>>>> module='kvformat', context='template-func', name='format-welf'
>>>> [2021-04-07T11:52:21.153279] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so', 
>>>> module='hook-commands'
>>>> [2021-04-07T11:52:21.153339] Registering candidate plugin; 
>>>> module='hook-commands', context='inner-dest', name='hook-commands'
>>>> [2021-04-07T11:52:21.153343] Registering candidate plugin; 
>>>> module='hook-commands', context='inner-src', name='hook-commands'
>>>> [2021-04-07T11:52:21.153355] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libgraphite.so', 
>>>> module='graphite'
>>>> [2021-04-07T11:52:21.153408] Registering candidate plugin; 
>>>> module='graphite', context='template-func', name='graphite_output'
>>>> [2021-04-07T11:52:21.153418] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so', 
>>>> module='tfgetent'
>>>> [2021-04-07T11:52:21.153468] Registering candidate plugin; 
>>>> module='tfgetent', context='template-func', name='getent'
>>>> [2021-04-07T11:52:21.153479] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libexamples.so', 
>>>> module='examples'
>>>> [2021-04-07T11:52:21.153646] Registering candidate plugin; 
>>>> module='examples', context='source', name='example_msg_generator'
>>>> [2021-04-07T11:52:21.153654] Registering candidate plugin; 
>>>> module='examples', context='source', name='example_random_generator'
>>>> [2021-04-07T11:52:21.153660] Registering candidate plugin; 
>>>> module='examples', context='source', name='example_diskq_source'
>>>> [2021-04-07T11:52:21.153670] Registering candidate plugin; 
>>>> module='examples', context='inner-dest', name='http_test_slots'
>>>> [2021-04-07T11:52:21.153677] Registering candidate plugin; 
>>>> module='examples', context='destination', name='example_destination'
>>>> [2021-04-07T11:52:21.153722] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so', 
>>>> module='disk-buffer'
>>>> [2021-04-07T11:52:21.153825] Registering candidate plugin; 
>>>> module='disk-buffer', context='inner-dest', name='disk_buffer'
>>>> [2021-04-07T11:52:21.153846] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libdbparser.so', 
>>>> module='dbparser'
>>>> [2021-04-07T11:52:21.154065] Registering candidate plugin; 
>>>> module='dbparser', context='parser', name='db-parser'
>>>> [2021-04-07T11:52:21.154076] Registering candidate plugin; 
>>>> module='dbparser', context='parser', name='grouping-by'
>>>> [2021-04-07T11:52:21.154100] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so', 
>>>> module='timestamp'
>>>> [2021-04-07T11:52:21.154260] Registering candidate plugin; 
>>>> module='timestamp', context='parser', name='date-parser'
>>>> [2021-04-07T11:52:21.154267] Registering candidate plugin; 
>>>> module='timestamp', context='rewrite', name='fix-time-zone'
>>>> [2021-04-07T11:52:21.154270] Registering candidate plugin; 
>>>> module='timestamp', context='rewrite', name='set-time-zone'
>>>> [2021-04-07T11:52:21.154279] Registering candidate plugin; 
>>>> module='timestamp', context='rewrite', name='guess-time-zone'
>>>> [2021-04-07T11:52:21.154296] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so', 
>>>> module='csvparser'
>>>> [2021-04-07T11:52:21.154366] Registering candidate plugin; 
>>>> module='csvparser', context='parser', name='csv-parser'
>>>> [2021-04-07T11:52:21.154381] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so', 
>>>> module='cryptofuncs'
>>>> [2021-04-07T11:52:21.154452] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='uuid'
>>>> [2021-04-07T11:52:21.154459] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='hash'
>>>> [2021-04-07T11:52:21.154657] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='sha1'
>>>> [2021-04-07T11:52:21.154662] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='sha256'
>>>> [2021-04-07T11:52:21.154665] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='sha512'
>>>> [2021-04-07T11:52:21.154667] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='md4'
>>>> [2021-04-07T11:52:21.154673] Registering candidate plugin; 
>>>> module='cryptofuncs', context='template-func', name='md5'
>>>> [2021-04-07T11:52:21.154689] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libconfgen.so', 
>>>> module='confgen'
>>>> [2021-04-07T11:52:21.154788] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef'
>>>> [2021-04-07T11:52:21.154912] Registering candidate plugin; 
>>>> module='cef', context='template-func', name='format-cef-extension'
>>>> [2021-04-07T11:52:21.154935] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so', 
>>>> module='basicfuncs'
>>>> [2021-04-07T11:52:21.155134] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='grep'
>>>> [2021-04-07T11:52:21.155142] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='if'
>>>> [2021-04-07T11:52:21.155145] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='or'
>>>> [2021-04-07T11:52:21.155148] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='context-lookup'
>>>> [2021-04-07T11:52:21.155150] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='context-length'
>>>> [2021-04-07T11:52:21.155156] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='context-values'
>>>> [2021-04-07T11:52:21.155158] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='echo'
>>>> [2021-04-07T11:52:21.155165] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='length'
>>>> [2021-04-07T11:52:21.155171] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='substr'
>>>> [2021-04-07T11:52:21.155173] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='strip'
>>>> [2021-04-07T11:52:21.155176] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='sanitize'
>>>> [2021-04-07T11:52:21.155178] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='lowercase'
>>>> [2021-04-07T11:52:21.155180] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='uppercase'
>>>> [2021-04-07T11:52:21.155183] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='replace-delimiter'
>>>> [2021-04-07T11:52:21.155185] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='padding'
>>>> [2021-04-07T11:52:21.155201] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='binary'
>>>> [2021-04-07T11:52:21.155204] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='implode'
>>>> [2021-04-07T11:52:21.155207] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='explode'
>>>> [2021-04-07T11:52:21.155209] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='dirname'
>>>> [2021-04-07T11:52:21.155214] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='basename'
>>>> [2021-04-07T11:52:21.155217] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-concat'
>>>> [2021-04-07T11:52:21.155219] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-head'
>>>> [2021-04-07T11:52:21.155222] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-nth'
>>>> [2021-04-07T11:52:21.155224] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-tail'
>>>> [2021-04-07T11:52:21.155227] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-slice'
>>>> [2021-04-07T11:52:21.155230] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-count'
>>>> [2021-04-07T11:52:21.155232] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-append'
>>>> [2021-04-07T11:52:21.155234] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='list-search'
>>>> [2021-04-07T11:52:21.155237] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='+'
>>>> [2021-04-07T11:52:21.155239] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='-'
>>>> [2021-04-07T11:52:21.155241] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='*'
>>>> [2021-04-07T11:52:21.155243] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='/'
>>>> [2021-04-07T11:52:21.155245] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='%'
>>>> [2021-04-07T11:52:21.155248] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='sum'
>>>> [2021-04-07T11:52:21.155255] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='min'
>>>> [2021-04-07T11:52:21.155257] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='max'
>>>> [2021-04-07T11:52:21.155259] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='average'
>>>> [2021-04-07T11:52:21.155261] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='round'
>>>> [2021-04-07T11:52:21.155267] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='ceil'
>>>> [2021-04-07T11:52:21.155272] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='floor'
>>>> [2021-04-07T11:52:21.155275] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='ipv4-to-int'
>>>> [2021-04-07T11:52:21.155277] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='indent-multi-line'
>>>> [2021-04-07T11:52:21.155279] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='dns-resolve-ip'
>>>> [2021-04-07T11:52:21.155281] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='env'
>>>> [2021-04-07T11:52:21.155284] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='template'
>>>> [2021-04-07T11:52:21.155286] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='url-encode'
>>>> [2021-04-07T11:52:21.155288] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='url-decode'
>>>> [2021-04-07T11:52:21.155291] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='base64-encode'
>>>> [2021-04-07T11:52:21.155294] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='iterate'
>>>> [2021-04-07T11:52:21.155297] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='map'
>>>> [2021-04-07T11:52:21.155300] Registering candidate plugin; 
>>>> module='basicfuncs', context='template-func', name='filter'
>>>> [2021-04-07T11:52:21.155330] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', 
>>>> fname='libazure-auth-header.so', module='azure-auth-header'
>>>> [2021-04-07T11:52:21.155422] Registering candidate plugin; 
>>>> module='azure-auth-header', context='inner-dest', 
>>>> name='azure-auth-header'
>>>> [2021-04-07T11:52:21.155440] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libappmodel.so', 
>>>> module='appmodel'
>>>> [2021-04-07T11:52:21.155445] Registering candidate plugin; 
>>>> module='appmodel', context='root', name='application'
>>>> [2021-04-07T11:52:21.155448] Registering candidate plugin; 
>>>> module='appmodel', context='parser', name='app-parser'
>>>> [2021-04-07T11:52:21.155450] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libafuser.so', 
>>>> module='afuser'
>>>> [2021-04-07T11:52:21.155549] Registering candidate plugin; 
>>>> module='afuser', context='destination', name='usertty'
>>>> [2021-04-07T11:52:21.155565] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libafstomp.so', 
>>>> module='afstomp'
>>>> [2021-04-07T11:52:21.155641] Registering candidate plugin; 
>>>> module='afstomp', context='destination', name='stomp'
>>>> [2021-04-07T11:52:21.155653] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libafsocket.so', 
>>>> module='afsocket'
>>>> [2021-04-07T11:52:21.155816] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='unix-stream'
>>>> [2021-04-07T11:52:21.155821] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='unix-stream'
>>>> [2021-04-07T11:52:21.155824] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='unix-dgram'
>>>> [2021-04-07T11:52:21.155827] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='unix-dgram'
>>>> [2021-04-07T11:52:21.155829] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='tcp'
>>>> [2021-04-07T11:52:21.155832] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='tcp'
>>>> [2021-04-07T11:52:21.155834] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='tcp6'
>>>> [2021-04-07T11:52:21.155837] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='tcp6'
>>>> [2021-04-07T11:52:21.155839] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='udp'
>>>> [2021-04-07T11:52:21.155841] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='udp'
>>>> [2021-04-07T11:52:21.155844] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='udp6'
>>>> [2021-04-07T11:52:21.155846] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='udp6'
>>>> [2021-04-07T11:52:21.155857] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='syslog'
>>>> [2021-04-07T11:52:21.155860] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='syslog'
>>>> [2021-04-07T11:52:21.155863] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='network'
>>>> [2021-04-07T11:52:21.155865] Registering candidate plugin; 
>>>> module='afsocket', context='destination', name='network'
>>>> [2021-04-07T11:52:21.155867] Registering candidate plugin; 
>>>> module='afsocket', context='source', name='systemd-syslog'
>>>> [2021-04-07T11:52:21.155886] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libafprog.so', 
>>>> module='afprog'
>>>> [2021-04-07T11:52:21.155979] Registering candidate plugin; 
>>>> module='afprog', context='source', name='program'
>>>> [2021-04-07T11:52:21.155986] Registering candidate plugin; 
>>>> module='afprog', context='destination', name='program'
>>>> [2021-04-07T11:52:21.156000] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', fname='libaffile.so', 
>>>> module='affile'
>>>> [2021-04-07T11:52:21.156140] Registering candidate plugin; 
>>>> module='affile', context='source', name='file'
>>>> [2021-04-07T11:52:21.156176] Registering candidate plugin; 
>>>> module='affile', context='source', name='pipe'
>>>> [2021-04-07T11:52:21.156181] Registering candidate plugin; 
>>>> module='affile', context='source', name='wildcard_file'
>>>> [2021-04-07T11:52:21.156184] Registering candidate plugin; 
>>>> module='affile', context='source', name='stdin'
>>>> [2021-04-07T11:52:21.156187] Registering candidate plugin; 
>>>> module='affile', context='destination', name='file'
>>>> [2021-04-07T11:52:21.156189] Registering candidate plugin; 
>>>> module='affile', context='destination', name='pipe'
>>>> [2021-04-07T11:52:21.156209] Reading shared object for a candidate 
>>>> module; path='/usr/lib64/syslog-ng', 
>>>> fname='libadd-contextual-data.so', module='add-contextual-data'
>>>> [2021-04-07T11:52:21.156308] Registering candidate plugin; 
>>>> module='add-contextual-data', context='parser', 
>>>> name='add_contextual_data'
>>>> [2021-04-07T11:52:21.156434] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156450] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156674] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156687] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156832] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156841] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156931] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156943] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157022] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157029] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157074] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157078] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.157107] Included file was skipped because of a 
>>>> missing module; module='mod-java', 
>>>> location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1'
>>>> [2021-04-07T11:52:21.157109] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.157114] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157173] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157179] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157232] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157236] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157262] Included file was skipped because of a 
>>>> missing module; module='mod-java', 
>>>> location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1'
>>>> [2021-04-07T11:52:21.157264] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157269] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.157309] Global value changed; 
>>>> define='kafka-implementation', value='kafka-java'
>>>> [2021-04-07T11:52:21.157328] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.157336] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157375] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157379] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157493] Module loaded and initialized 
>>>> successfully; module='confgen'
>>>> [2021-04-07T11:52:21.157512] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157519] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.157559] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.157565] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157597] Included file was skipped because of a 
>>>> missing module; module='pacctformat', 
>>>> location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1'
>>>> [2021-04-07T11:52:21.157600] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157605] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157905] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157919] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157969] Global value changed; 
>>>> define='balabit.credit-card-regexp', 
>>>> value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})'
>>>> [2021-04-07T11:52:21.157998] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158007] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158073] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158079] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158120] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158131] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.161593] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.161620] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161724] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161729] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161803] Module loaded and initialized 
>>>> successfully; module='confgen'
>>>> [2021-04-07T11:52:21.161808] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161815] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161853] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161860] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161951] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161964] Starting to read include file; 
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.162008] Finishing include; 
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf', 
>>>> depth='2'
>>>> [2021-04-07T11:52:21.162024] Global value changed; 
>>>> define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules'
>>>> [2021-04-07T11:52:21.162028] Finishing include; 
>>>> filename='/etc/syslog-ng/scl.conf', depth='1'
>>>> [2021-04-07T11:52:21.162157] Module loaded and initialized 
>>>> successfully; module='system-source'
>>>> [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log 
>>>> device; device='/dev/kmsg', format='linux-kmsg'
>>>> [2021-04-07T11:52:21.162403] Module loaded and initialized 
>>>> successfully; module='afsocket'
>>>> [2021-04-07T11:52:21.162936] Module loaded and initialized 
>>>> successfully; module='affile'
>>>> [2021-04-07T11:52:21.163175] Module loaded and initialized 
>>>> successfully; module='kvformat'
>>>> [2021-04-07T11:52:21.163192] Finishing include; content='block 
>>>> parser iptables-parser() at 
>>>> /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3'
>>>> [2021-04-07T11:52:21.163568] Module loaded and initialized 
>>>> successfully; module='csvparser'
>>>> [2021-04-07T11:52:21.164457] Finishing include; content='block 
>>>> parser panos-parser() at 
>>>> /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3'
>>>> [2021-04-07T11:52:21.164880] Module loaded and initialized 
>>>> successfully; module='basicfuncs'
>>>> [2021-04-07T11:52:21.164936] Finishing include; content='block 
>>>> parser sudo-parser() at 
>>>> /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3'
>>>> [2021-04-07T11:52:21.164995] Finishing include; content='parser 
>>>> generator app-parser', depth='2'
>>>> [2021-04-07T11:52:21.165016] Finishing include; content='source 
>>>> generator system', depth='1'
>>>> [2021-04-07T11:52:21.165525] Module loaded and initialized 
>>>> successfully; module='syslogformat'
>>>> [2021-04-07T11:52:21.165711] Module loaded and initialized 
>>>> successfully; module='linux-kmsg-format'
>>>> [2021-04-07T11:52:21.165966] Running application hooks; hook='1'
>>>> [2021-04-07T11:52:21.165971] Running application hooks; hook='6'
>>>> [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1'
>>>> [2021-04-07T11:52:21.165989] Running application hooks; hook='2'
>>>> [2021-04-07T11:52:39.961046] Running application hooks; hook='3'
>>>> [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1'
>>>> [2021-04-07T11:52:40.061679] Running application hooks; hook='4'
>>>> -----------------------------------------------------------------------------
>>>>
>>>> On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
>>>>
>>>>> can you start syslog-ng in the foreground and look at the startup 
>>>>> messages?
>>>>>
>>>>> e.g. stop the background process (via systemd or your init 
>>>>> system), and run syslog-ng from a root prompt:
>>>>>
>>>>> # /usr/sbin/syslog-ng -Fedv
>>>>>
>>>>> This should start syslog-ng in the foreground (-F), direct 
>>>>> internal messages to stderr (-e), and enable debug/verbose 
>>>>> messages. Then look at the messages to see if syslog-ng is 
>>>>> complaining about your configuration or not.
>>>>>
>>>>> Cheers,
>>>>> Bazsi
>>>>>
>>>>>
>>>>> On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan at newideatest.site> 
>>>>> <mailto:dan at newideatest.site> wrote:
>>>>>
>>>>>> Don't know how that slipped in there. And syslog-ng never 
>>>>>> mentioned it. It's fixed now, and the behavior is unchanged. sshd 
>>>>>> messages still appear in /var/log/messages.
>>>>>>
>>>>>>
>>>>>> On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Apr 7, 2021, 08:06 Dan Egli <dan at newideatest.site> 
>>>>>>> <mailto:dan at newideatest.site> wrote:
>>>>>>>
>>>>>>>> No joy. I tried swapping it different ways.
>>>>>>>>
>>>>>>>> filter -> source -> destination = combined
>>>>>>>> source -> filter -> destination = combined
>>>>>>>>
>>>>>>>> Here's what my config looks like now, after the second variant:
>>>>>>>>
>>>>>>>> @version: 3.30
>>>>>>>>
>>>>>>>> @include "scl.conf"
>>>>>>>>
>>>>>>>> options {
>>>>>>>>      threaded(yes);
>>>>>>>>      chain_hostnames(no);
>>>>>>>>      stats_freq(43200);
>>>>>>>>      mark_freq(3600);
>>>>>>>> };
>>>>>>>>
>>>>>>>> source src { system(); internal(); };
>>>>>>>>
>>>>>>>> filter samba { program("samba"); };
>>>>>>>> filter ssh_messages { facility("AUTH") and level("INFO"); };
>>>>>>>> filter syslog { not filter("ssh_messages") and not 
>>>>>>>> filter("samba"); };
>>>>>>>>
>>>>>>>> destination console { file("/dev/tty12"); };
>>>>>>>> destination messages { file("/var/log/messages"); };
>>>>>>>> destination sshd_log { file("/var/log/sshd/sshd.log"); };
>>>>>>>> destination smb_logs { file("/var/log/samba/samba.log"); };
>>>>>>>>
>>>>>>>> log { source(src); filter(samba); destination(smb_logs); 
>>>>>>>> flags(final); );
>>>>>>>>
>>>>>>>
>>>>>>> You are using a closing paren instead of a brace. This config 
>>>>>>> has a syntax error. Possibly syslog-ng falled back to the 
>>>>>>> original config, once it reported a syntax error.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> log { source(src); filter(ssh_messages); destination(sshd_log);
>>>>>>>> flags(final); };
>>>>>>>> log { source(src); filter(syslog); destination(console); };
>>>>>>>> log { source(src); filter(syslog); destination(messages); };
>>>>>>>>
>>>>>>>>
>>>>>>>> Still, sshd messages are appearing in /var/log/messages.
>>>>>>>>
>>>>>>>> On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
>>>>>>>> > Hello,
>>>>>>>> >
>>>>>>>> > The order in the configuration matters.
>>>>>>>> > log { source(src); destination(console); filter(syslog); };
>>>>>>>> > The message flow is the following in your example source(src) 
>>>>>>>> -> destination(console) -> filter(syslog) -> void
>>>>>>>> > The filter recieves messages only after destination, if you 
>>>>>>>> switch filter and destination it should be fine.
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > kokan
>>>>>>>> >
>>>>>>>> > ________________________________________
>>>>>>>> > From: syslog-ng <syslog-ng-bounces at lists.balabit.hu 
>>>>>>>> <mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Dan 
>>>>>>>> Egli <dan at newideatest.site> <mailto:dan at newideatest.site>
>>>>>>>> > Sent: 07 April 2021 07:17
>>>>>>>> > To: syslog-ng at lists.balabit.hu 
>>>>>>>> <mailto:syslog-ng at lists.balabit.hu>
>>>>>>>> > Subject: [syslog-ng] Syslog-ng not honoring negative flag
>>>>>>>> >
>>>>>>>> > CAUTION: This email originated from outside of the 
>>>>>>>> organization. Do not follow guidance, click links, or open 
>>>>>>>> attachments unless you recognize the sender and know the 
>>>>>>>> content is safe.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > I'm having a bit of a problem and hope someone here can help. 
>>>>>>>> I'm trying
>>>>>>>> > to separate individual items into specific logs, i.e. ssh 
>>>>>>>> events in
>>>>>>>> > sshd.log, samba messages in samba.log, etc...
>>>>>>>> >
>>>>>>>> > I managed to come up with filters that pull out the events I 
>>>>>>>> started
>>>>>>>> > with, and they are going into the correct log files. But they 
>>>>>>>> are ALSO
>>>>>>>> > going into /var/log/messages even though I specifically have 
>>>>>>>> a filter on
>>>>>>>> > that one that says not to include samba or sshd events. I'll 
>>>>>>>> copy my
>>>>>>>> > config file here. Hopefully someone can tell me what I did wrong.
>>>>>>>> >
>>>>>>>> > Thanks!
>>>>>>>> >
>>>>>>>> > ---------------------------------------------
>>>>>>>> > @version: 3.30
>>>>>>>> >
>>>>>>>> > @include "scl.conf"
>>>>>>>> >
>>>>>>>> > options {
>>>>>>>> >       threaded(yes);
>>>>>>>> >       chain_hostnames(no);
>>>>>>>> >       stats_freq(43200);
>>>>>>>> >       mark_freq(3600);
>>>>>>>> > };
>>>>>>>> >
>>>>>>>> > source src { system(); internal(); };
>>>>>>>> >
>>>>>>>> > filter samba { program("samba"); };
>>>>>>>> > filter ssh_messages { facility("AUTH") and level("INFO"); };
>>>>>>>> > filter syslog { not filter("ssh_messages") and not 
>>>>>>>> filter("samba"); };
>>>>>>>> >
>>>>>>>> > destination console { file("/dev/tty12"); };
>>>>>>>> > destination messages { file("/var/log/messages"); };
>>>>>>>> > destination sshd_log { file("/var/log/sshd/sshd.log"); };
>>>>>>>> > destination smb_logs { file("/var/log/samba/samba.log"); };
>>>>>>>> >
>>>>>>>> > log { source(src); destination(smb_logs); filter(samba); 
>>>>>>>> flags(final); );
>>>>>>>> > log { source(src); destination(sshd_log); filter(ssh_messages);
>>>>>>>> > flags(final); };
>>>>>>>> > log { source(src); destination(console); filter(syslog); };
>>>>>>>> > log { source(src); destination(messages); filter(syslog); };
>>>>>>>> >
>>>>>>>> > 
>>>>>>>> ______________________________________________________________________________
>>>>>>>> > Member info: 
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0 
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334268377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0qw65n1Rc9KGd2UOas8tvmOA9dBVvsk87isPiIU1gs%3D&reserved=0>
>>>>>>>> > Documentation: 
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0 
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SjrFKWzHU16coH4fONh%2FuBCc8TVIGOwMX%2BuDoqCT2a0%3D&reserved=0>
>>>>>>>> > FAQ: 
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0 
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7Cd4c21de7adca458e27e208d8f984a06c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533695334273367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cIR67V5%2BBHwG2gChSUHEOceKB5VsEXp%2B%2B3y1BpQYAMc%3D&reserved=0>
>>>>>>>> >
>>>>>>>> > 
>>>>>>>> ______________________________________________________________________________
>>>>>>>> > Member info: 
>>>>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng 
>>>>>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>>> > Documentation: 
>>>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng 
>>>>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq 
>>>>>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>> >
>>>>>>>> ______________________________________________________________________________
>>>>>>>> Member info: 
>>>>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng 
>>>>>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>>> Documentation: 
>>>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng 
>>>>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq 
>>>>>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng  <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng  <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq  <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Bazsi
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng 
>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>> Documentation: 
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng 
>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq 
>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>
>>>>
>>>
>>> ______________________________________________________________________________
>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng 
>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>> Documentation: 
>>> http://www.balabit.com/support/documentation/?product=syslog-ng 
>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq 
>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210407/e221ceed/attachment-0001.html>


More information about the syslog-ng mailing list