Package: syslog-ng
Version: 1.9.11-1
Severity: normal
Hi,
I have a complex filter for output to xconsole and its mirror
file. This filter has worked for me until syslog-ng version
1.6.8, but starting with the 1.9.x versions it no longer works
correctly.
The problem is that output sent to syslog-ng at facility.priority
of local2.{info,notice} no longer goes to xconsole and its log
file, instead it just disappears.
I have setup a template to mark all of the output with
facility.priority of local2.*, so that it is clear that the
missing output to xconsole was in fact generated by pppd.
This is the local2.* output from June 11:
Jun 11 12:50:07 l1 local2.notice pppd[9397]: pppd 2.4.4b1 started by jeff,
uid 1001
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (BUSY)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (DELAYED)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (ERROR)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (NO\sANSWER)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (NO\sCARRIER)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (NO\sDIALTONE)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (NO\sDIAL\sTONE)
Jun 11 12:50:08 l1 local2.info chat[9414]: abort on (VOICE)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (BUSY)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (DELAYED)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (ERROR)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (NO\sANSWER)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (NO\sCARRIER)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (NO\sDIALTONE)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (NO\sDIAL\sTONE)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (VOICE)
Jun 11 12:50:08 l1 local2.info chat[9414]: report (CONNECT)
Jun 11 12:50:08 l1 local2.info chat[9414]: timeout set to 60 seconds
Jun 11 12:50:08 l1 local2.info chat[9414]: send (ATZ^M)
Jun 11 12:50:08 l1 local2.info chat[9414]: expect (OK)
Jun 11 12:50:09 l1 local2.info chat[9414]: ATZ^M^M
Jun 11 12:50:09 l1 local2.info chat[9414]: OK
Jun 11 12:50:09 l1 local2.info chat[9414]: -- got it
Jun 11 12:50:09 l1 local2.info chat[9414]: send (ATDT17189069892^M)
Jun 11 12:50:09 l1 local2.info chat[9414]: expect (CONNECT)
Jun 11 12:50:09 l1 local2.info chat[9414]: ^M
Jun 11 12:50:42 l1 local2.info chat[9414]: ATDT17189069892^M^M
Jun 11 12:50:42 l1 local2.info chat[9414]: CONNECT
Jun 11 12:50:42 l1 local2.info chat[9414]: -- got it
Jun 11 12:50:42 l1 local2.info chat[9414]: send (\d)
Jun 11 12:50:43 l1 local2.info pppd[9397]: Serial connection established.
Jun 11 12:50:44 l1 local2.debug pppd[9397]: using channel 1
Jun 11 12:50:44 l1 local2.info pppd[9397]: Using interface ppp0
Jun 11 12:50:44 l1 local2.notice pppd[9397]: Connect: ppp0 <--> /dev/modem
Jun 11 12:50:45 l1 local2.debug pppd[9397]: sent [LCP ConfReq id=0x1 <mru
542> <asyncmap 0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:45 l1 local2.debug pppd[9397]: rcvd [LCP ConfReq id=0x1
<asyncmap 0x0> <magic 0x233d5b2f> <pcomp> <accomp> <auth pap>]
Jun 11 12:50:45 l1 local2.debug pppd[9397]: sent [LCP ConfAck id=0x1
<asyncmap 0x0> <magic 0x233d5b2f> <pcomp> <accomp> <auth pap>]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: sent [LCP ConfReq id=0x1 <mru
542> <asyncmap 0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: rcvd [LCP ConfAck id=0x1 <mru
542> <asyncmap 0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: sent [LCP EchoReq id=0x0
magic=0x61f67e06]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: sent [PAP AuthReq id=0x1
user="jeffsh" password=<hidden>]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: rcvd [LCP EchoRep id=0x0
magic=0x233d5b2f]
Jun 11 12:50:48 l1 local2.debug pppd[9397]: rcvd [PAP AuthAck id=0x1
"Login Succeeded"]
Jun 11 12:50:48 l1 local2.info pppd[9397]: Remote message: Login Succeeded
Jun 11 12:50:48 l1 local2.notice pppd[9397]: PAP authentication succeeded
Jun 11 12:50:49 l1 local2.debug pppd[9397]: sent [CCP ConfReq id=0x1
<deflate 15> <deflate(old#) 15> <bsd v1 15>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: sent [IPCP ConfReq id=0x1
<compress VJ 0f 01> <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: rcvd [IPCP ConfReq id=0x1
<compress VJ 0f 00> <addr 64.80.160.72>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: sent [IPCP ConfAck id=0x1
<compress VJ 0f 00> <addr 64.80.160.72>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: rcvd [LCP ProtRej id=0x2 80 fd
01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: Protocol-Reject for
'Compression Control Protocol' (0x80fd) received
Jun 11 12:50:49 l1 local2.debug pppd[9397]: rcvd [IPCP ConfNak id=0x1
<addr 66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3 66.153.50.66>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: sent [IPCP ConfReq id=0x2
<compress VJ 0f 01> <addr 66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3
66.153.50.66>]
Jun 11 12:50:49 l1 local2.debug pppd[9397]: rcvd [IPCP ConfAck id=0x2
<compress VJ 0f 01> <addr 66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3
66.153.50.66>]
Jun 11 12:50:49 l1 local2.notice pppd[9397]: local IP address
66.153.99.128
Jun 11 12:50:49 l1 local2.notice pppd[9397]: remote IP address 64.80.160.72
Jun 11 12:50:49 l1 local2.notice pppd[9397]: primary DNS address
66.153.50.71
Jun 11 12:50:49 l1 local2.notice pppd[9397]: secondary DNS address
66.153.50.66
Jun 11 12:50:49 l1 local2.debug pppd[9397]: Script /etc/ppp/ip-up started
(pid 9791)
Jun 11 12:50:51 l1 local2.debug pppd[9397]: Script /etc/ppp/ip-up finished
(pid 9791), status = 0x0
Jun 11 21:52:22 l1 local2.info pppd[9397]: Terminating on signal 15
Jun 11 21:52:23 l1 local2.info pppd[9397]: Connect time 541.6 minutes.
Jun 11 21:52:23 l1 local2.info pppd[9397]: Sent 6417964 bytes, received
82357709 bytes.
Jun 11 21:52:23 l1 local2.debug pppd[9397]: Script /etc/ppp/ip-down
started (pid 25634)
Jun 11 21:52:23 l1 local2.debug pppd[9397]: sent [LCP TermReq id=0x2 "User
request"]
Jun 11 21:52:23 l1 local2.debug pppd[9397]: rcvd [LCP TermAck id=0x3]
Jun 11 21:52:23 l1 local2.notice pppd[9397]: Connection terminated.
Jun 11 21:52:25 l1 local2.debug pppd[9397]: Waiting for 1 child
processes...
Jun 11 21:52:25 l1 local2.debug pppd[9397]: script /etc/ppp/ip-down, pid
25634
Jun 11 21:52:25 l1 local2.debug pppd[9397]: Script /etc/ppp/ip-down
finished (pid 25634), status = 0x0
Jun 11 21:52:25 l1 local2.info pppd[9397]: Exit.
This is the xconsole mirror file (/var/log/xcons.log) output from
June 11:
Jun 11 12:50:44 l1 pppd[9397]: using channel 1
Jun 11 12:50:45 l1 pppd[9397]: sent [LCP ConfReq id=0x1 <mru 542> <asyncmap
0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:45 l1 pppd[9397]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0>
<magic 0x233d5b2f> <pcomp> <accomp> <auth pap>]
Jun 11 12:50:45 l1 pppd[9397]: sent [LCP ConfAck id=0x1 <asyncmap 0x0>
<magic 0x233d5b2f> <pcomp> <accomp> <auth pap>]
Jun 11 12:50:48 l1 pppd[9397]: sent [LCP ConfReq id=0x1 <mru 542> <asyncmap
0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:48 l1 pppd[9397]: rcvd [LCP ConfAck id=0x1 <mru 542> <asyncmap
0x0> <magic 0x61f67e06> <pcomp> <accomp>]
Jun 11 12:50:48 l1 pppd[9397]: sent [PAP AuthReq id=0x1 user="jeffsh"
password=<hidden>]
Jun 11 12:50:48 l1 pppd[9397]: rcvd [PAP AuthAck id=0x1 "Login Succeeded"]
Jun 11 12:50:48 l1 kernel: PPP BSD Compression module registered
Jun 11 12:50:49 l1 kernel: PPP Deflate Compression module registered
Jun 11 12:50:49 l1 pppd[9397]: sent [CCP ConfReq id=0x1 <deflate 15>
<deflate(old#) 15> <bsd v1 15>]
Jun 11 12:50:49 l1 pppd[9397]: sent [IPCP ConfReq id=0x1 <compress VJ 0f
01> <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Jun 11 12:50:49 l1 pppd[9397]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f
00> <addr 64.80.160.72>]
Jun 11 12:50:49 l1 pppd[9397]: sent [IPCP ConfAck id=0x1 <compress VJ 0f
00> <addr 64.80.160.72>]
Jun 11 12:50:49 l1 pppd[9397]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f
1a 04 78 00 18 04 78 00 15 03 2f]
Jun 11 12:50:49 l1 pppd[9397]: Protocol-Reject for 'Compression Control
Protocol' (0x80fd) received
Jun 11 12:50:49 l1 pppd[9397]: rcvd [IPCP ConfNak id=0x1 <addr
66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3 66.153.50.66>]
Jun 11 12:50:49 l1 pppd[9397]: sent [IPCP ConfReq id=0x2 <compress VJ 0f
01> <addr 66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3 66.153.50.66>]
Jun 11 12:50:49 l1 pppd[9397]: rcvd [IPCP ConfAck id=0x2 <compress VJ 0f
01> <addr 66.153.99.128> <ms-dns1 66.153.50.71> <ms-dns3 66.153.50.66>]
Jun 11 12:50:49 l1 pppd[9397]: Script /etc/ppp/ip-up started (pid 9791)
Jun 11 12:50:51 l1 pppd[9397]: Script /etc/ppp/ip-up finished (pid 9791),
status = 0x0
Jun 11 21:52:23 l1 pppd[9397]: Script /etc/ppp/ip-down started (pid 25634)
Jun 11 21:52:23 l1 pppd[9397]: sent [LCP TermReq id=0x2 "User request"]
Jun 11 21:52:23 l1 pppd[9397]: rcvd [LCP TermAck id=0x3]
Jun 11 21:52:25 l1 pppd[9397]: Waiting for 1 child processes...
Jun 11 21:52:25 l1 pppd[9397]: script /etc/ppp/ip-down, pid 25634
Jun 11 21:52:25 l1 pppd[9397]: Script /etc/ppp/ip-down finished (pid
25634), status = 0x0
It is clear from the above log file transcripts that output to
local2.{info,notice} has been generated by pppd, but it has not
been logged to xconsole.
Here is the /etc/syslog-ng/syslog-ng.conf used to produce the
above transcripts:
#
# Configuration file for syslog-ng under Debian
#
# Facilities: auth, authpriv, cron, daemon, kern, lpr, mail, mark,
# news, syslog, user, uucp and local0 through local7.
#
# Priorities: debug, info, notice, warning (warn), err (error),
# crit, alert, emerg (panic).
# Note - For debugging this file, just add the following destination
# line to the log { }; statement in question,
#
## destination(df_debug_eslc);
######
# options
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);
# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);
#Disable statistic log messages.
stats_freq(0);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging
messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
######
# destinations
# some standard log files
destination df_auth { file("/var/log/auth.log"); };
destination df_syslog { file("/var/log/syslog"); };
destination df_cron { file("/var/log/cron.log"); };
destination df_daemon { file("/var/log/daemon.log"); };
destination df_kern { file("/var/log/kern.log"); };
destination df_lpr { file("/var/log/lpr.log"); };
destination df_mail { file("/var/log/mail.log"); };
destination df_user { file("/var/log/user.log"); };
destination df_uucp { file("/var/log/uucp.log"); };
# these files are meant for the mail system log files
# and provide re-usable destinations for {mail,cron,...}.info,
# {mail,cron,...}.notice, etc.
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
# these files are meant for the news system, and are kept separated
# because they should be owned by "news" instead of "root"
destination df_news_dot_notice { file("/var/log/news/news.notice"
owner("news")); };
destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
# some more classical and useful files found in standard syslog configurations
destination df_debug { file("/var/log/debug"); };
destination df_messages { file("/var/log/messages"); };
destination df_info { file("/var/log/info.log"); };
destination df_xconsole { file("/var/log/xcons.log"); };
destination df_ppp { file("/var/log/ppp.log"); };
destination df_iptables { file("/var/log/iptables.log"); };
destination df_vc8 {
file("/dev/tty8"
owner("-1")
group("-1")
perm(01000));
};
# pipes
# a console to view log messages under X
destination dp_xconsole { pipe("/dev/xconsole" group("xlocal")); };
# consoles
# this will send messages to everyone logged in
destination du_all { usertty("*"); };
# the sysadmin users
destination du_root { usertty("root"); };
destination du_jsroot { usertty("jsroot"); };
destination du_jeff { usertty("jeff"); };
destination du_jss { usertty("jss"); };
# used for debugging, see note at top of this file.
destination df_debug_eslc {
file("/home/jsroot/temp/syslog-ng"
template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
template_escape(no)
);
};
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# only the mark facility
filter f_mark { not
facility(auth,authpriv,cron,daemon,kern,lpr,mail,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7);
};
# all messages except from the mark facility and pppd echo responses
filter f_syslog { not filter(f_mark) and not filter(f_pppd_echo); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };
# messages with priority debug
filter f_debug { level(debug); };
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news);
};
# messages with priority info
filter f_info { level(info); };
# messages with priority emerg
filter f_emerg { level(emerg); };
# note - regexps are EREs, however thay are always anchored at the
# beginning of the string, thus "^" is treated as an ordinary
# character. I haven't checked if "$" is also treated as an
# ordinary character. Be aware that "\" is also treated as an
# ordinary character.
# xconsole - filter in rules.
filter f_in_xconsole {
( facility(authpriv,kern)
or ( level(debug..emerg) and
facility(auth) )
or ( level(debug..emerg) and
facility(cron,daemon,lpr,mail,news,syslog,user,uucp) )
or ( level(debug..emerg) and
facility(local0,local1,local2,local3,local4,local5,local6,local7) )
);
};
# xconsole - positive selections that will be dropped by f_out_xconsole.
filter fs_atd {
( program("atd")
and
match("[(]pam_unix[)] session (open|clos)ed for user")
);
};
filter fs_comsat {
( program("in.comsat")
and
match("connect from localhost")
);
};
filter fs_cron {
( program("/USR/SBIN/CRON")
and
( match("[(]smmsp[)] CMD [(]test -x /usr/share/sendmail/sendmail &&")
or
match("[(]root[)] CMD [(]test -x /usr/share/sendmail/sendmail &&")
or
match("[(]root[)] CMD [(]test -x /usr/lib/atsar/atsa1 &&")
or
match("[(]root[)] CMD [(] +run-parts --report /etc/cron.hourly")
)
);
};
filter fs_iptables {
( program("kernel")
and
( match("IP_NF IN=ppp0 OUT= .+ DST=224.0.0.1 LEN=28")
or
match("IP_NF IN=ppp0 OUT= .+ PROTO=ICMP TYPE=8 CODE=0")
or
match("IP_NF IN=ppp0 OUT= .+ PROTO=TCP .+
DPT=(111|137|138|139|445|1214|1433) .+ SYN URGP=0")
or
match("IP_NF IN=ppp0 OUT= .+ PROTO=UDP .+ DPT=(111|137|138|139) LEN=")
)
);
};
filter fs_pam_unix {
( ( program("cron[(]pam_unix[)]")
and
match("session (opened|closed) for user") )
or
( program("CRON")
and
match("[(]pam_unix[)] session (opened|closed) for user") )
);
};
filter fs_pppd {
filter(f_pppd_echo);
};
filter f_pppd_echo {
( program("pppd")
and
( match("sent [[]LCP EchoReq id=0x[0-9a-f][0-9a-f]? magic=0x")
or
match("rcvd [[]LCP EchoRep id=0x[0-9a-f][0-9a-f]? magic=0x") )
);
};
filter fs_qmail {
( program("qmail")
and
( match("[0-9]{10}[.][0-9]{6} ((new|info|end) msg|starting delivery)")
or
match("[0-9]{10}[.][0-9]{6} status:")
or
match("[0-9]{10}[.][0-9]{6} delivery [0-9]+: success") )
);
};
filter fs_sendmail {
( ( program("sm-mta")
or
program("sm-msp-queue")
or
program("sendmail") )
and
( match("[0-9a-fA-Z]+: (from|to)=")
or
match("STARTTLS=(server|client),") )
);
};
filter fs_syslog_ng {
( program("syslog-ng")
and
( match("STATS: dropped 0")
or
match("Log statistics; processed=") )
);
};
# xconsole - filter out rules.
filter f_out_xconsole {
not (
filter(fs_atd)
or
filter(fs_comsat)
or
filter(fs_cron)
or
filter(fs_iptables)
or
filter(fs_pam_unix)
or
filter(fs_pppd)
or
filter(fs_qmail)
or
filter(fs_sendmail)
or
filter(fs_syslog_ng)
);
};
# sysadmin - gets crit to alert, with emerg handled by du_all, minus junk
# from genpowerd, kernel packet filter, and smartd.
filter f_genpowerd {
( program("/sbin/genpowerd")
and
match("Line power ")
);
};
filter f_iptables {
( program("kernel")
and
match("IP_NF ")
);
};
filter f_smartmontools {
( program("smartd")
and
( match("smartd received signal 15: Terminated")
or
match("smartd is exiting")
or
match("Configuration file /etc/smartd.conf parsed")
)
);
};
filter f_sysadmin {
( level(crit..alert)
and not
( filter(f_genpowerd)
or
filter(f_iptables)
or
filter(f_smartmontools)
)
);
};
# pppd logs to facility local2
filter f_ppp { facility(local2); };
######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement
# these rules provide the same behavior as the commented syslogd rules,
# except that some of the filters cannot be expressed in syslogd syntax!
# auth,authpriv.* /var/log/auth.log
log {
source(s_all);
filter(f_auth);
destination(df_auth);
};
# *.* -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
destination(df_vc8);
};
# cron.* /var/log/cron.log
log {
source(s_all);
filter(f_cron);
destination(df_cron);
};
# daemon.* -/var/log/daemon.log
log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};
# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};
# lpr.* -/var/log/lpr.log
log {
source(s_all);
filter(f_lpr);
destination(df_lpr);
};
# mail.* -/var/log/mail.log
log {
source(s_all);
filter(f_mail);
destination(df_mail);
};
# user.* -/var/log/user.log
log {
source(s_all);
filter(f_user);
destination(df_user);
};
# uucp.* /var/log/uucp.log
log {
source(s_all);
filter(f_uucp);
destination(df_uucp);
};
# mail.info -/var/log/mail.info
log {
source(s_all);
filter(f_mail);
filter(f_at_least_info);
destination(df_facility_dot_info);
};
# mail.warn -/var/log/mail.warn
log {
source(s_all);
filter(f_mail);
filter(f_at_least_warn);
destination(df_facility_dot_warn);
};
# mail.err /var/log/mail.err
log {
source(s_all);
filter(f_mail);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.crit /var/log/news/news.crit
log {
source(s_all);
filter(f_news);
filter(f_at_least_crit);
destination(df_news_dot_crit);
};
# news.err /var/log/news/news.err
log {
source(s_all);
filter(f_news);
filter(f_at_least_err);
destination(df_news_dot_err);
};
# news.notice /var/log/news/news.notice
log {
source(s_all);
filter(f_news);
filter(f_at_least_notice);
destination(df_news_dot_notice);
};
# *.=debug -/var/log/debug
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info -/var/log/info.log
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
log {
source(s_all);
filter(f_messages);
destination(df_messages);
};
# *.emerg *
log {
source(s_all);
filter(f_emerg);
destination(du_all);
};
# |/dev/xconsole
# /var/log/xcons.log
log {
source(s_all);
filter(f_in_xconsole);
filter(f_out_xconsole);
destination(dp_xconsole);
destination(df_xconsole);
};
# local2.* /var/log/ppp.log
log {
source(s_all);
filter(f_ppp);
destination(df_ppp);
destination(df_debug_eslc);
};
# only kernel packet filter generated messages
# /var/log/iptables.log
log {
source(s_all);
filter(f_iptables);
destination(df_iptables);
};
# all the sysadmin users
log {
source(s_all);
filter(f_sysadmin);
destination(du_root);
destination(du_jsroot);
destination(du_jeff);
destination(du_jss);
};
# Local Variables:
# mode: Shell-script
# End:
# /etc/syslog-ng/syslog-ng.conf - end of file.
Now, if one greps for xconsole in the syslog-ng.conf file, then it
is clear which stanzas are relevant:
$ grep xconsole /etc/syslog-ng/syslog-ng.conf
destination df_xconsole { file("/var/log/xcons.log"); };
destination dp_xconsole { pipe("/dev/xconsole" group("xlocal")); };
# xconsole - filter in rules.
filter f_in_xconsole {
# xconsole - positive selections that will be dropped by f_out_xconsole.
# xconsole - filter out rules.
filter f_out_xconsole {
# |/dev/xconsole
filter(f_in_xconsole);
filter(f_out_xconsole);
destination(dp_xconsole);
destination(df_xconsole);
Thanks,
--
Jeffrey Sheinberg
-- System Information:
Debian Release: testing/etch
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i586)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-486
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages syslog-ng depends on:
ii libc6 2.3.6-13 GNU C Library: Shared libraries
ii util-linux 2.12r-8 Miscellaneous system utilities
Versions of packages syslog-ng recommends:
ii logrotate 3.7.1-3 Log rotation utility
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
