On Wednesday, 7 April 2021 08:40:44 BST Neil Bothwick wrote:
> On Tue, 6 Apr 2021 23:11:15 -0600, Dan Egli wrote:
> > Before I seek out a mailing list for syslog-ng, I was hoping I could
> > get some tips from people here. I recently started trying to separate
> > logs into various functions rather than letting everything go to
> > /var/log/messages. So I created three filters in syslog-ng. One is
> > intended to separate sshd messages, one to separate samba messages, and
> > the other to say "everything ELSE". The problem I seem to be having is
> > that the everything ELSE log still shows things that should have been
> > removed! For example, when I login via ssh I get identical notification
> > in the /var/log/messages and in /var/sshd/sshd.log. So I'm lost. I'm
> > including my syslog-ng.conf. Perhaps someone here can tell me what I'm
> > doing wrong.
> >
> > filter samba { program("samba"); };
> > filter ssh_messages { facility("AUTH") and level("INFO"); };
> > filter syslog { not filter("ssh_messages") and not filter("samba"); };
>
> Shouldn't this be an or? You are filtering out anything that is in both
> groups, which will be a very small set of messages.
Nope. NOT a AND NOT b matches anything that is in neither a nor b. The rule
you're suggesting would be NOT (a AND b).
--
Regards,
Peter.
