On Sun, Nov 12, 2023 at 02:37:08AM +0000, Mik J wrote: > Hello, > I would like to log isakmpd and unbound messages in a specific file but I > don't want them to be logged in messages or daemon. > 1) With this first method, the messages are logged in their files but also in > messages and I don't want them to be logged in messages: I find many queries > and isakmpd logs in messages > > !isakmpd > daemon.* /var/log/isakmpd.log > > !unbound > daemon.* > /var/unbound/var/queries.log > *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages > kern.debug;syslog,user.info /var/log/messages > > > > 2) With this second method, the messages are logged in their files but not in > messages. So I'm happy the way it behaves for isakmpd and unbound because > it's logged in their files and not in messages.The problem is that any other > message are not logged in messages. No more syslogs are added to messages. > > !!isakmpd > daemon.* /var/log/isakmpd.log > > !!unbound > daemon.* > /var/unbound/var/queries.log > *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages > kern.debug;syslog,user.info /var/log/messages > How can I first filter syslogs so they can be logged in a specific log and > everything that doesn't match would end in messages.That second solution > should have done that but it doesn't. > Regards
>From syslog.conf(5): !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. cancelling the effect of a !prog or !!prog). So after your isakmpd and unbound-specific blocks, you need to add a !* line to ensure that all further rules are applied to all other processes. E.g.: !!isakmpd <isakmpd stuff> !!unbound <unbound stuff> !* <all other stuff> Since matching stops the evaluation of further rules, this makes sure that isakmpd and unbound logs don't end up matched by the "all other stuff" rules. Cheers --