On Sun, Nov 12, 2023 at 02:37:08AM +0000, Mik J wrote:
> Hello,
> I would like to log isakmpd and unbound messages in a specific file but I
> don't want them to be logged in messages or daemon.
> 1) With this first method, the messages are logged in their files but also in
> messages and I don't want them to be logged in messages: I find many queries
> and isakmpd logs in messages
>
> !isakmpd
> daemon.* /var/log/isakmpd.log
>
> !unbound
> daemon.*
> /var/unbound/var/queries.log
> *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
> kern.debug;syslog,user.info /var/log/messages
>
>
>
> 2) With this second method, the messages are logged in their files but not in
> messages. So I'm happy the way it behaves for isakmpd and unbound because
> it's logged in their files and not in messages.The problem is that any other
> message are not logged in messages. No more syslogs are added to messages.
>
> !!isakmpd
> daemon.* /var/log/isakmpd.log
>
> !!unbound
> daemon.*
> /var/unbound/var/queries.log
> *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
> kern.debug;syslog,user.info /var/log/messages
> How can I first filter syslogs so they can be logged in a specific log and
> everything that doesn't match would end in messages.That second solution
> should have done that but it doesn't.
> Regards
>From syslog.conf(5):
!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken. !*
can be used to ensure that any ensuing blocks are further evaluated
(i.e. cancelling the effect of a !prog or !!prog).
So after your isakmpd and unbound-specific blocks, you need to add a !*
line to ensure that all further rules are applied to all other
processes. E.g.:
!!isakmpd
<isakmpd stuff>
!!unbound
<unbound stuff>
!*
<all other stuff>
Since matching stops the evaluation of further rules, this makes sure
that isakmpd and unbound logs don't end up matched by the "all other
stuff" rules.
Cheers
--
