I had posted the whole file. But I can do it again easy enough.
--------------------------------
@version: 3.30
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source src { system(); internal(); };
filter samba { program("samba"); };
filter ssh_messages { facility("AUTH") and level("INFO"); };
filter syslog { not filter("ssh_messages") and not filter("samba"); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };
destination smb_logs { file("/var/log/samba/samba.log"); };
log { source(src); filter(samba); destination(smb_logs); flags(final); );
log { source(src); filter(ssh_messages); destination(sshd_log);
flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };
----------------------------
There, that's the ENTIRE file, sans comments.
On 4/7/2021 5:47 AM, Michael Orlitzky wrote:
On Wed, 2021-04-07 at 02:02 -0600, Dan Egli wrote:
It's worth a shot. I never completely got boolean logic, so you may be
right.
It depends on an implicit order of operations. Usually "not" has higher
precedence than "and" and "or", but personally I wouldn't count on it
unless the documentation says so (or you've tried it).
It's like when you see a+b/c*d. Some people use PEMDAS, some people use
BEDMAS. Neither of them work, and they give different answers. It's no
wonder nobody understands this stuff.
In any case, post your whole syslog-ng.conf file. Some later directive
could be shoveling things into /var/log/messages.
