I think you need a semi-colon inside and after the right curly brace ('}')
You right braces are parentheses and not right curly braces too (maybe a
cut and paste issue?)
FWIW, the following is what I use to separate my mail logs out and it works:
destination messages { file("/var/log/messages"); };
destination maillog { file("/var/log/maillog"); };
filter f_mail { facility(mail); };
filter f_messages { not facility(mail); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_messages); destination(messages); };
On 12/15/2020 10:44 PM, Dan Egli wrote:
Help me understand this, please? I have ISC dhcpd configured to log
to syslog.local7 (since I don't see an option to force it into it's
own log file). So I went into my syslog-ng file and created two
filters, just like on the example page of syslog-ng.com:
filter dhcpmsgs { facility(23) );
filter non_dhcp { NOT filter(dhcpmsgs) )
I quoted almost directly from the example page on syslog-ng.com, but I
keep getting this error when I reload syslog-ng's config:
Error parsing filter expression, filter plugin NOT not found OR you
may not used double quotes in your filter expression in
/etc/syslog-ng/syslog-ng.conf:25:18-25:21:
What did I do wrong? Here's the lines I modified from the syslog-ng page:
filter demo_filter { host("example") and match("deny"
value("MESSAGE")) };
filter inverted_demo_filter { NOT filter(demo_filter) }
You can see the page at:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
