How are filters combined in syslog-ng

filterloggingsyslog-ng

If I've got an entry in syslog-ng

log {
  source (src);
  filter (filter1);
  filter (filter2);
  filter (filter3);
  filter (filter4);
  destination (all_log)
 }

And, say filter4 is a very permissive filter and filter3 is a filter to eradicate a couple irksome hosts. If filter2 and/or filter1 allow one of those irksome hosts, will it get logged?

Best Answer

From the syslog-ng administrators guide (v 2.0, which is old, but what you're using)

When a log statement includes multiple filter statements, syslog-ng sends a message to the destination only if all filters are true for the message. In other words, the filters are connected with the logical AND operator. In the following example, no message arrives to the destination, because the filters are exclusive (the hostname of a client cannot be example1 and example2 at the same time).

So that makes sense, it would be way too complicated and undocumented if it worked any other way. So you're going to have to find some other way of accomplishing what you're trying to do!

It looks like, in general, the way you would want to exclude a host is to use not host('HOSTNAME') or (host('HOSTNAME') and level(...) ) as your filter.

Best Answer

Related Solutions

Remote logging for multiple Apache virtual hosts using syslog-ng

Linux – Filter out a facility in syslog-ng

Related Topic