Gentoo Archives: gentoo-user

From: Dan Egli <dan@×××××××××××.site>
To: gentoo-user@l.g.o, Neil Bothwick <neil@××××××××××.uk>
Subject: Re: [gentoo-user] syslog-ng misbehaving
Date: Wed, 07 Apr 2021 08:04:02
Message-Id: 500d3c08-288a-14df-ffdf-1e2f1f594109@newideatest.site
In Reply to: Re: [gentoo-user] syslog-ng misbehaving by Neil Bothwick
1 It's worth a shot. I never completely got boolean logic, so you may be
2 right.
3
4 And the result is no joy. I changed it to or, restarted syslog-ng and
5 tailed /var/log/messages, just in time to catch a botnet trying a
6 brute-force attack. Since all the sshd messages are comming in through
7 /var/log/messages, then changing to "or" vs. "and" made no difference.
8
9
10 On 4/7/2021 1:40 AM, Neil Bothwick wrote:
11 > On Tue, 6 Apr 2021 23:11:15 -0600, Dan Egli wrote:
12 >
13 >> Before I seek out a mailing list for syslog-ng, I was hoping I could
14 >> get some tips from people here. I recently started trying to separate
15 >> logs into various functions rather than letting everything go to
16 >> /var/log/messages. So I created three filters in syslog-ng. One is
17 >> intended to separate sshd messages, one to separate samba messages, and
18 >> the other to say "everything ELSE". The problem  I seem to be having is
19 >> that the everything ELSE log still shows things that should have been
20 >> removed! For example, when I login via ssh I get identical notification
21 >> in the /var/log/messages and in /var/sshd/sshd.log. So I'm lost. I'm
22 >> including my syslog-ng.conf. Perhaps someone here can tell me what I'm
23 >> doing wrong.
24 >> filter samba { program("samba"); };
25 >> filter ssh_messages { facility("AUTH") and level("INFO"); };
26 >> filter syslog { not filter("ssh_messages") and not filter("samba"); };
27 > Shouldn't this be an or? You are filtering out anything that is in both
28 > groups, which will be a very small set of messages.
29 >
30 >

Replies

Subject Author
Re: [gentoo-user] syslog-ng misbehaving Michael Orlitzky <mjo@g.o>