Package: syslog-ng-core Version: 3.19.1-5 Hello, the standard syslog-ng.conf contains (among others) these lines:
filter f_dbg { level(debug); }; filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; filter f_mail { facility(mail) and not filter(f_debug); }; filter f_news { facility(news) and not filter(f_debug); }; log { source(s_src); filter(f_auth); destination(d_auth); }; log { source(s_src); filter(f_mail); destination(d_mail); }; log { source(s_src); filter(f_debug); destination(d_debug); }; ...the f_debug includes debug level and excludes facilities auth, authpriv, news and mail, which is good for d_debug destination, BUT, because of excluding those facilities, the "not filter(f_debug)" does NOT exclude debug priority for any of them: mail.debug: filter(f_debug) = false not filter(f_debug) = true Thus, debug priority is not excluded in d_auth and d_mail destinations, while it was apparently intended to be filtered out. we can test it by running: # logger -p mail.debug mail debug # logger -p auth.debug auth debug # grep debug auth.log mail.log auth.log:Jul 15 16:22:51 mail root[29022]: auth debug mail.log:Jul 15 16:07:25 mail root[26770]: mail debug I believe that it can be fixed by either: a) removing "not filter(f_debug);" from f_auth, f_mail and f_news definitions b) using "not filter(f_dbg)" instead of "not filter(f_debug)" in log definitions c) moving "not facility(auth, authpriv, news, mail)" to definicion of f_dbg and using f_dbg for d_debug with variant a) the functionality would stay the same but less misleading I personally would prefer variant c) as I find it cleanest and easiest to understand and debug. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...