Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
23 is the hard coded constant for local7. They are identical. facility(23) and facility(local7) mean the exact same thing. On 12/16/2020 10:30 AM, David Haller wrote: Hello, On Wed, 16 Dec 2020, Todd Goodman wrote: I think you need a semi-colon inside and after the right curly brace ('}') You right braces are parentheses and not right curly braces too (maybe a cut and paste issue?) FWIW, the following is what I use to separate my mail logs out and it works: destination messages { file("/var/log/messages"); }; destination maillog { file("/var/log/maillog"); }; filter f_mail { facility(mail); }; filter f_messages { not facility(mail); }; log { source(src); filter(f_mail); destination(maillog); }; log { source(src); filter(f_messages); destination(messages); }; On 12/15/2020 10:44 PM, Dan Egli wrote: Help me understand this, please? I have ISC dhcpd configured to log to syslog.local7 (since I don't see an option to force it into it's own log file). So I went into my syslog-ng file and created two filters, just like on the example page of syslog-ng.com: filter dhcpmsgs { facility(23) ); filter non_dhcp { NOT filter(dhcpmsgs) ) Also, where's that '23' coming from? Shouldn't that be filter dhcpmsgs { facility(local7); }; HTH, -dnh -- Dan Egli From my Test Server
Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
Well, I'm starting to make progress. But something isn't right. I found out the plugin error was due to the fact that despite syslog-ng.com showing the reversal as NOT, the actual statement is not (all lower case vs all upper case). So that means that syslog-ng loads just fine. But I can't get the dhcp output to where I want it. If I have the syslog facility in dhcpd turned on, or if I redirect the output to a file in systemd, then I get dhcpd messages in the file AND in the syslog itself (/var/log/messages). No matter what I try, the dhcpd output ALWAYS goes to syslog. I can get it to go to a separate file TOO, but not ONLY. Here's the entire syslog-ng.conf and the service file for dhcpd. Hopefully you guys can figure something out I missed: (dhcpd4.service) [Unit] Description=DHCPv4 Server Daemon Documentation=man:dhcpd(8) man:dhcpd.conf(5) After=network.target After=time-sync.target After=network-online.target Wants=network-online.target StandardOut=null StandardError=null [Service] ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcp -group dhcp --no-pid [Install] WantedBy=multi-user.target With everyhing going to null, you'd think that with the syslog statement in dhcpd.conf disabled, I'd get no log at all. But I still get the log in /var/log/messages. Here's syslog-ng.conf: @version: 3.26 options { threaded(yes); chain_hostnames(no); stats_freq(43200); mark_freq(3600); }; filter dhcpfilter { facility(local7); }; filter nondhcp { not filter(dhcpfilter); }; source src { system(); internal(); }; destination messages { file("/var/log/messages"); }; destination dhcplog { file("/var/log/dhcpd.log"); }; destination console_all { file("/dev/tty12"); }; log { source(src); filter(nondhcp); destination(messages); }; log { source(src); destination(console_all); }; log { source(src); filter(dhcpfilter); destination(dhcplog); }; And for what it's worth, here's my dhcpd.conf: default-lease-time 3600; max-lease-time 43200; # Use this to enble / disable dynamic dns updates globally. ddns-update-style interim; authoritative; # log-facility local7; allow booting; subnet 10.0.2.0 netmask 255.255.255.0 { # no services at all! } subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.128 192.168.10.254; if exists user-class and option user-class = "iPXE" { filename "pxelinux.efi"; } else { filename "pxelinux.0"; } next-server 192.168.10.3; option domain-name-servers 192.168.10.2, 8.8.8.8; option domain-name "eglifamily.name"; option routers 192.168.10.1; } host testbox-1 { hardware ethernet 08:00:27:D5:AA:3C; fixed-address 192.168.10.64; option host-name "testbox-1"; ddns-hostname "testbox-1.eglifamily.name"; } -- Dan Egli From my Test Server
Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
Hello, On Wed, 16 Dec 2020, Todd Goodman wrote: >I think you need a semi-colon inside and after the right curly brace ('}') > >You right braces are parentheses and not right curly braces too (maybe a cut >and paste issue?) > >FWIW, the following is what I use to separate my mail logs out and it works: > >destination messages { file("/var/log/messages"); }; >destination maillog { file("/var/log/maillog"); }; > >filter f_mail { facility(mail); }; >filter f_messages { not facility(mail); }; > >log { source(src); filter(f_mail); destination(maillog); }; >log { source(src); filter(f_messages); destination(messages); }; > >On 12/15/2020 10:44 PM, Dan Egli wrote: >> Help me understand this, please? I have ISC dhcpd configured to log to >> syslog.local7 (since I don't see an option to force it into it's own log >> file). So I went into my syslog-ng file and created two filters, just >> like on the example page of syslog-ng.com: >> >> filter dhcpmsgs { facility(23) ); >> filter non_dhcp { NOT filter(dhcpmsgs) ) Also, where's that '23' coming from? Shouldn't that be filter dhcpmsgs { facility(local7); }; HTH, -dnh -- printk(KERN_DEBUG "%s: Flex. T...\n", DRV_NAME); linux-2.6.6/drivers/net/wan/dscc4.c
Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
I think you need a semi-colon inside and after the right curly brace ('}') You right braces are parentheses and not right curly braces too (maybe a cut and paste issue?) FWIW, the following is what I use to separate my mail logs out and it works: destination messages { file("/var/log/messages"); }; destination maillog { file("/var/log/maillog"); }; filter f_mail { facility(mail); }; filter f_messages { not facility(mail); }; log { source(src); filter(f_mail); destination(maillog); }; log { source(src); filter(f_messages); destination(messages); }; On 12/15/2020 10:44 PM, Dan Egli wrote: Help me understand this, please? I have ISC dhcpd configured to log to syslog.local7 (since I don't see an option to force it into it's own log file). So I went into my syslog-ng file and created two filters, just like on the example page of syslog-ng.com: filter dhcpmsgs { facility(23) ); filter non_dhcp { NOT filter(dhcpmsgs) ) I quoted almost directly from the example page on syslog-ng.com, but I keep getting this error when I reload syslog-ng's config: Error parsing filter expression, filter plugin NOT not found OR you may not used double quotes in your filter expression in /etc/syslog-ng/syslog-ng.conf:25:18-25:21: What did I do wrong? Here's the lines I modified from the syslog-ng page: filter demo_filter { host("example") and match("deny" value("MESSAGE")) }; filter inverted_demo_filter { NOT filter(demo_filter) } You can see the page at: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
[gentoo-user] syslog-ng: filter plugin NOT not found ????
Help me understand this, please? I have ISC dhcpd configured to log to syslog.local7 (since I don't see an option to force it into it's own log file). So I went into my syslog-ng file and created two filters, just like on the example page of syslog-ng.com: filter dhcpmsgs { facility(23) ); filter non_dhcp { NOT filter(dhcpmsgs) ) I quoted almost directly from the example page on syslog-ng.com, but I keep getting this error when I reload syslog-ng's config: Error parsing filter expression, filter plugin NOT not found OR you may not used double quotes in your filter expression in /etc/syslog-ng/syslog-ng.conf:25:18-25:21: What did I do wrong? Here's the lines I modified from the syslog-ng page: filter demo_filter { host("example") and match("deny" value("MESSAGE")) }; filter inverted_demo_filter { NOT filter(demo_filter) } You can see the page at: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53 -- Dan Egli From my Test Server