# syslog ignores the filter...

## DaggyStyle

```

filter f_firewall { match("Rejected: "); };

filter f_no_firewall { not match("Rejected: "); };

destination firewall { file("/var/log/iptables.log" owner("root") group("adm") $

log { source(src); filter(f_firewall); destination(firewall); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); filter(f_no_firewall); destination(messages); };

log { source(src); destination(console_all); };

```

the no firewall filter isnt working... how can I fix it?

----------

## mjbjr

you have defined 'destination firewall', but you haven't defined 'destination messages'

----------

## DaggyStyle

it is defined, but I didnt entered it in the code I've posted

----------

## aronparsons

Are you just trying to get the "Rejected" messages in a separate file and out of /var/log/messages?  Try this:

```
log { source(src); filter(f_firewall); destination(firewall); flags(final); }; 
```

----------

## DaggyStyle

yes, tried that, not working...

----------

## aronparsons

Well I'm not sure then.  The 'final' directive will stop it from hitting any other log files (as long as it's before the logs you don't want it in).  Your 'destination firewall' line has the $ at the end; that's not valid, is it? (I'm not super-familiar with syslog-ng configuration files, just enough to get by).  My configuration that works good is below.

```
source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

source ddwrt {

        udp();

};

# DD-WRT routers

destination ddwrt { file("/var/log/ddwrt.log"); };

log{ source(ddwrt); destination(ddwrt); flags(final); };

# cron

destination cron { file("/var/log/cron.log"); };

filter f_cron { program("cron"); };

log { source(src); filter(f_cron); destination(cron); flags(final); };

# sshd

destination ssh { file("/var/log/ssh.log"); };

filter f_ssh { program("sshd"); };

log { source(src); filter(f_ssh); destination(ssh); flags(final); };

# ntpd

destination ntp { file("/var/log/ntpd.log"); };

filter f_ntp { program("ntpd"); };

log { source(src); filter(f_ntp); destination(ntp); flags(final); };

# sudo

destination sudo { file("/var/log/sudo.log"); };

filter f_sudo { program("sudo"); };

log { source(src); filter(f_sudo); destination(sudo); flags(final); };

# smartd

destination smartd { file("/var/log/smartd.log"); };

filter f_smartd { program("smartd"); };

log { source(src); filter(f_smartd); destination(smartd); flags(final); };

# dhcpcd

destination dhcpcd { file("/var/log/dhcpcd.log"); };

filter f_dhcpcd { program("dhcpcd"); };

log { source(src); filter(f_dhcpcd); destination(dhcpcd); flags(final); };

# smartd

destination ssmtp { file("/var/log/ssmtp.log"); };

filter f_ssmtp { program("sSMTP"); };

log { source(src); filter(f_ssmtp); destination(ssmtp); flags(final); };

# everything else

destination messages { file("/var/log/messages"); };

log { source(src); destination(messages); };
```

----------

## DaggyStyle

full file:

```

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        chain_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

destination messages { file("/var/log/messages"); };

#firewall

filter f_firewall { match("Rejected: "); };

filter f_no_firewall { not match("Rejected: "); };

destination firewall { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); };

log { source(src); filter(f_firewall); destination(firewall); flags(final); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); filter(f_no_firewall); destination(messages); };

log { source(src); destination(console_all); };

```

----------

## aronparsons

That configuration should work as you intend it to.  Maybe something with the trailing space in your 'match' directive?

----------

