It's worth a shot. I never completely got boolean logic, so you may be
right.
And the result is no joy. I changed it to or, restarted syslog-ng and
tailed /var/log/messages, just in time to catch a botnet trying a
brute-force attack. Since all the sshd messages are comming in through
/var/log/messages, then changing to "or" vs. "and" made no difference.
On 4/7/2021 1:40 AM, Neil Bothwick wrote:
On Tue, 6 Apr 2021 23:11:15 -0600, Dan Egli wrote:
Before I seek out a mailing list for syslog-ng, I was hoping I could
get some tips from people here. I recently started trying to separate
logs into various functions rather than letting everything go to
/var/log/messages. So I created three filters in syslog-ng. One is
intended to separate sshd messages, one to separate samba messages, and
the other to say "everything ELSE". The problemĀ I seem to be having is
that the everything ELSE log still shows things that should have been
removed! For example, when I login via ssh I get identical notification
in the /var/log/messages and in /var/sshd/sshd.log. So I'm lost. I'm
including my syslog-ng.conf. Perhaps someone here can tell me what I'm
doing wrong.
filter samba { program("samba"); };
filter ssh_messages { facility("AUTH") and level("INFO"); };
filter syslog { not filter("ssh_messages") and not filter("samba"); };
Shouldn't this be an or? You are filtering out anything that is in both
groups, which will be a very small set of messages.
