[syslog-ng] Try again: What's wrong with my config?

Dan Egli dan at newideatest.site
Tue Apr 13 07:14:08 UTC 2021


Okay. I'm completely stumped on this, and just before the list went down 
I was hoping someone could help me with this.

I'm trying to break everything out of the monolithic /var/log/messages 
and place each service in it's own log file. To that extent, I created 
the following config file:

syslog-ng config:

@version: 3.30

@include "scl.conf"

options {
	threaded(yes);
	chain_hostnames(no);

	stats_freq(43200);
	mark_freq(3600);
};

source src { system(); internal(); };
filter samba { program("samba") or program("nmbd") or program("smbd"); };
filter sshd { program("ssdhd"); };
filter syslog { not filter(sshd) and not filter(samba); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };

log { source(src); filter(sshd);   destination(sshd_log); flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };


so, as I understand the logic. The three log { } lines do this:
log { source(src); filter(sshd);   destination(sshd_log); flags(final); };       Anything from sshd gets written to the /var/log/sshd/sshd.log. Nothing else goes here.
log { source(src); filter(syslog); destination(console); };			Anything that is not from sshd, not from smbd, not from sabma and not from nmbd goes to the /dev/tty12 device
log { source(src); filter(syslog); destination(messages); };			likewises for /var/log/messages.


Is my understanding correct? If so, WHY do I see ssh log entries in /var/log/messages? And how do I stop it!? sshd messages should ONLY show up in /etc/sshd/sshd.log.

jupiter ~ # grep sshd /var/log/messages | head -n 2
Apr 13 00:00:50 jupiter sshd[14721]: Received disconnect from <IP> port 18726:11:  [preauth]
Apr 13 00:00:50 jupiter sshd[14721]: Disconnected from <IP> port 18726 [preauth]

Thanks!
  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210413/bcfb2e94/attachment.html>


More information about the syslog-ng mailing list