# Couple of syslog-ng filter questions....

## digitalamish

OK, I've been googling for an hour and I still can't figure out how to do two simple filters.  Please help.

The first deal with cron.  I have a couple of programs that run through cron every minute.  One is a webcam picture grabber, the other is fetchmail.  The problem is that my sever is usually pretty quiet, so my messages file is just clogged with entries for these runs.

I created a filter in syslog-ng to put the cron entries in a /var/log/cron.log file:

```

destination cron { file("/var/log/cron.log"); };

filter f_cron { facility(cron); };

log { source(src); filter(f_cron); destination(cron); };
```

And that does copy the entries to the other file, HOWEVER it leaves the original ones in the "messages" file.  Is there a way to tell syslog-ng to put the entries into the cron file, and NOT put them in the messages file?  Or just ignore that call altogether?

My second problem is just as annoying.  I run squirrelmail for a webmail client.  If a user is logged into webmail, every time the user''s browser refreshes, it makes a logon through dovecot (which is fine).  The problem is that connection to dovecot is also captured in my log:

```

Aug  4 07:35:09 www dovecot: imap-login: Login: user=<user01>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Aug  4 07:35:09 www dovecot: IMAP(user01): Disconnected: Logged out
```

I tried creating another filter for those messages, but there is no 'facility' for dovecot.  How do you create a filter in no facility exists?

Any tips would be helpful.

----------

## didymos

 *digitalamish wrote:*   

> 
> 
> And that does copy the entries to the other file, HOWEVER it leaves the original ones in the "messages" file.  
> 
> 

 

What do you mean "copies"?  You started a new log, so the stuff matching the filter goes there from now on.  It's not going to edit the messages file for you. It's just not going to put cron stuff there anymore.

 *Quote:*   

> 
> 
> I tried creating another filter for those messages, but there is no 'facility' for dovecot.  How do you create a filter in no facility exists?
> 
> 

 

You match on something that's unique to the dovecot messages.  For example, the name dovecot:

 *Quote:*   

> 
> 
> Aug  4 07:35:09 www dovecot: imap-login: Login: user=<user01>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
> 
> Aug  4 07:35:09 www dovecot: IMAP(user01): Disconnected: Logged out
> ...

 

Use  "match" instead of "facility".

[edit] Oh, and you'll want to put the "log" entry for dovecot before the one for /var/log/messages.

----------

## digitalamish

 *didymos wrote:*   

>  *digitalamish wrote:*   
> 
> And that does copy the entries to the other file, HOWEVER it leaves the original ones in the "messages" file.  
> 
>  
> ...

 

I mean it does put the entries both in the cron.log file and messages.  I just want them in cron.log.

 *Quote:*   

> 
> 
> Use  "match" instead of "facility".
> 
> 

 

Can you give me an example?  Or is there a way to make a 'facility' for dovecot?

----------

## didymos

 *digitalamish wrote:*   

> 
> 
> I mean it does put the entries both in the cron.log file and messages.  I just want them in cron.log.

 

Oh, I see. OK, just post the syslog-ng.conf.  It's too much of pain to describe the changes.

 *Quote:*   

> Can you give me an example?  Or is there a way to make a 'facility' for dovecot?

 

You can't make a facility, not with syslog-ng anyway. Those are defined at a lower-level than either dovecot or syslog-ng.

----------

## kimmie

For the first case, there are a couple of alternatives. You can add a "not" filter to your existing messages destination:

```
filter f_not_cron { not facility(cron); }  # or, you could use filter f_notcron { not filter(f_cron}; };

log { source(src); filter(f_not_cron); destination(messages); };
```

Or, you can make your messages destination a 'fallback', so it only matches messages not matched by another log statement. So all you need to do is change your log statement. This is simpler than creating a not filter if you ask me.

```
log { source(src); destination(messages); flags(fallback) };
```

Don't forget to consider your console destination in all this... you can do it either way, with filters, or by making it a fallback as well. You can have more than one fallback.

For your second question: syslog-ng can filter on other things beside facility. Try creating a filter matching on the program name, and incorporating it using one of the methods above. Using the fallback method, you should just be able to add:

```
filter f_dovecot { program("dovecot"); };

destination dovecot { file("/var/log/dovecot"); };

log { source(src); filter(f_dovecot); destination(dovecot); };
```

For some reason most of this stuff isn't in the man page... look in /usr/share/doc/syslog-ng.../syslog-ng.txt.bz2

----------

## Aurika

cron: I guess you're syslog-ng.conf contains a line to catch all messages:

```
log { source(src); destination(messages); };
```

To exclude something, create a filter and change that line like so:

```
filter f_nocron { not (facility(cron)); };

log { source(src); filter(f_nocron); destination(messages); };
```

dovecot: I don't know what dovecot is but if it's a program, a filter like this should do it:

```
filter f_dovecot_nolog { program(dovecot) and not ( match(Login) or match("Logged out") ); };
```

The doublequotes in the second match are needed for the whitespace present. The words to match on I found in your post. Theses are excluded which probably is not what you want. The "and" connects the expressions, "not" affects both of the matches connected via the "or" because they are enclosed in brackets.

Adjust as needed.

----------

## digitalamish

Perfect, thanks.

----------

