Before I seek out a mailing list for syslog-ng, I was hoping I could get
some tips from people here. I recently started trying to separate logs
into various functions rather than letting everything go to
/var/log/messages. So I created three filters in syslog-ng. One is
intended to separate sshd messages, one to separate samba messages, and
the other to say "everything ELSE". The problem I seem to be having is
that the everything ELSE log still shows things that should have been
removed! For example, when I login via ssh I get identical notification
in the /var/log/messages and in /var/sshd/sshd.log. So I'm lost. I'm
including my syslog-ng.conf. Perhaps someone here can tell me what I'm
doing wrong.
Thanks!
---------- CUT HERE - syslog_ng.conf ----------
@version: 3.30
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source src { system(); internal(); };
filter samba { program("samba"); };
filter ssh_messages { facility("AUTH") and level("INFO"); };
filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };
destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); destination(smb_logs); filter(samba); flags(final); );
log { source(src); destination(sshd_log); filter(ssh_messages);
flags(final); };
log { source(src); destination(console); filter(syslog); };
log { source(src); destination(messages); filter(syslog); };
---------- CUT HERE --------------
