1 |
It's worth a shot. I never completely got boolean logic, so you may be |
2 |
right. |
3 |
|
4 |
And the result is no joy. I changed it to or, restarted syslog-ng and |
5 |
tailed /var/log/messages, just in time to catch a botnet trying a |
6 |
brute-force attack. Since all the sshd messages are comming in through |
7 |
/var/log/messages, then changing to "or" vs. "and" made no difference. |
8 |
|
9 |
|
10 |
On 4/7/2021 1:40 AM, Neil Bothwick wrote: |
11 |
> On Tue, 6 Apr 2021 23:11:15 -0600, Dan Egli wrote: |
12 |
> |
13 |
>> Before I seek out a mailing list for syslog-ng, I was hoping I could |
14 |
>> get some tips from people here. I recently started trying to separate |
15 |
>> logs into various functions rather than letting everything go to |
16 |
>> /var/log/messages. So I created three filters in syslog-ng. One is |
17 |
>> intended to separate sshd messages, one to separate samba messages, and |
18 |
>> the other to say "everything ELSE". The problem I seem to be having is |
19 |
>> that the everything ELSE log still shows things that should have been |
20 |
>> removed! For example, when I login via ssh I get identical notification |
21 |
>> in the /var/log/messages and in /var/sshd/sshd.log. So I'm lost. I'm |
22 |
>> including my syslog-ng.conf. Perhaps someone here can tell me what I'm |
23 |
>> doing wrong. |
24 |
>> filter samba { program("samba"); }; |
25 |
>> filter ssh_messages { facility("AUTH") and level("INFO"); }; |
26 |
>> filter syslog { not filter("ssh_messages") and not filter("samba"); }; |
27 |
> Shouldn't this be an or? You are filtering out anything that is in both |
28 |
> groups, which will be a very small set of messages. |
29 |
> |
30 |
> |