[syslog-ng] Try again: What's wrong with my config?
Dan Egli
dan at newideatest.site
Tue Apr 13 08:34:49 UTC 2021
IT was spelled wrong in the config file. I don't know how I missed that.
Thanks for pointing it out. I missed Fabien's message. I've fixed the
config and will let it run for a few hours to test if that fixed everything.
On 4/13/2021 1:19 AM, Laszlo Szemere (lszemere) wrote:
> Hello Dan,
>
> Just before the list went down Fabien Wernli<wernli at in2p3.fr> replied
> to your message, pointing out that the "sshd" program name was
> misspelled in your configuration to "ss*d*hd". Can you check please,
> if that was only a typo in your email to the list, or your original
> configuration is affected too?
>
> Br,
> Laci
>
> ------------------------------------------------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Dan Egli <dan at newideatest.site>
> *Sent:* Tuesday, April 13, 2021 09:14
> *To:* Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Try again: What's wrong with my config?
> CAUTION: This email originated from outside of the organization. Do
> not follow guidance, click links, or open attachments unless you
> recognize the sender and know the content is safe.
>
> Okay. I'm completely stumped on this, and just before the list went
> down I was hoping someone could help me with this.
>
> I'm trying to break everything out of the monolithic /var/log/messages
> and place each service in it's own log file. To that extent, I created
> the following config file:
>
> syslog-ng config:
>
> @version: 3.30
>
> @include "scl.conf"
>
> options {
> threaded(yes);
> chain_hostnames(no);
>
> stats_freq(43200);
> mark_freq(3600);
> };
>
> source src { system(); internal(); };
> filter samba { program("samba") or program("nmbd") or program("smbd"); };
> filter sshd { program("ssdhd"); };
> filter syslog { not filter(sshd) and not filter(samba); };
> destination console { file("/dev/tty12"); };
> destination messages { file("/var/log/messages"); };
> destination sshd_log { file("/var/log/sshd/sshd.log"); };
>
> log { source(src); filter(sshd); destination(sshd_log); flags(final); };
> log { source(src); filter(syslog); destination(console); };
> log { source(src); filter(syslog); destination(messages); };
>
>
> so, as I understand the logic. The three log { } lines do this:
> log { source(src); filter(sshd); destination(sshd_log); flags(final); }; Anything from sshd gets written to the /var/log/sshd/sshd.log. Nothing else goes here.
> log { source(src); filter(syslog); destination(console); }; Anything that is not from sshd, not from smbd, not from sabma and not from nmbd goes to the /dev/tty12 device
> log { source(src); filter(syslog); destination(messages); }; likewises for /var/log/messages.
>
>
> Is my understanding correct? If so, WHY do I see ssh log entries in /var/log/messages? And how do I stop it!? sshd messages should ONLY show up in /etc/sshd/sshd.log.
>
> jupiter ~ # grep sshd /var/log/messages | head -n 2
> Apr 13 00:00:50 jupiter sshd[14721]: Received disconnect from <IP> port 18726:11: [preauth]
> Apr 13 00:00:50 jupiter sshd[14721]: Disconnected from <IP> port 18726 [preauth]
>
> Thanks!
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210413/9cb7eb9e/attachment.html>
More information about the syslog-ng
mailing list