# [Solved] Help: syslog-ng.conf

## aztech

Hi

A while ago, I got some help to configure syslog-ng, to put auth in a separate auth.log.

It worked, but all auth also gets written into messages etc ...

Now .. I'm asking for help to make a config, that logs something like this ..

auth.log

mail.log

cron.log

messages(.log) <- the "rest"

This is my current config and I really dont understand much of it.

```

@version: 3.0

options {

        chain_hostnames(off);

        flush_lines(0);

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

destination messages { file("/var/log/messages"); };

destination mail { file("/var/log/mail.log"); };

filter mail { facility(mail); };

filter notmail { not facility(mail); };

log { source(src); filter(mail); destination(mail); };

log { source(src); filter(notmail); destination(messages); };

destination console_all { file("/dev/tty12"); };

log { source(src); destination(console_all); };

destination authlog { file("/var/log/auth.log"); };

filter f_authpriv { facility(auth, authpriv); };

log { source(src); filter(f_authpriv); destination(authlog); };

destination sensord { file("/var/log/sensord"); };

filter f_sensord { facility(local4); };

log { source(src); filter(f_sensord); destination(sensord); };

```

Is there maybe a nice soul out there, who can help me to clean up this mess ?

//AndreasLast edited by aztech on Fri Nov 06, 2009 6:59 am; edited 1 time in total

----------

## honp

I think that the idea is quite easy.

you have three parts of one syslog "command".

Source, filter, destination.

Source is for you still the same (i think)

```
source src { 

    unix-stream("/dev/log" max-connections(256)); 

    internal(); 

    file("/proc/kmsg"); 

};
```

then you have to use filter. This tells syslog what do interest you. 

```
filter mail { facility(mail); };
```

In this case what does interest you it is from facility (see manual)  mail.

and last is destination. So this is where you want to have it written. (var/log/mail.log)

What can be a little tricky is the NOT filter, but it is easy thing that can be used to control that you write something twice.

So the thing you want is:

filter auth { facility(auth); }; 

filter notauth { not facility(auth); };

destination auth { file("/var/log/auth.log"); };

log { source(src); filter(notmail); filter(notauth); destination(messages); };

Is it a little bit clearer?

----------

## aztech

Thank you.

With the knowing of the source, filter and destination, it all turned to be much more easy.

----------

## aztech

Old thread, but now I've got an other question  :Very Happy: 

Looking at my config again, we can see that sensorsd is filtered as facility local4,

but how do I really know about other local*'s ?

```

options {

        chain_hostnames(off);

        flush_lines(0);

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

filter f_mail { facility(mail); };

filter f_notmail { not facility(mail); };

filter f_auth { facility(auth, authpriv); };

filter f_notauth { not facility(auth, authpriv); };

filter f_sensord { facility(local4); };

filter f_notsensord { not facility(local4); };

destination console_all { file("/dev/tty12"); };

destination messages { file("/var/log/messages"); };

destination mail { file("/var/log/mail.log"); };

destination authlog { file("/var/log/auth.log"); };

destination sensord { file("/var/log/sensord.log"); };

log { source(src); destination(console_all); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_auth); destination(authlog); };

log { source(src); filter(f_sensord); destination(sensord); };

log { source(src); filter(f_notmail); filter(f_notauth); filter(f_notsensord); destination(messages); };

```

Today I added a new filter, to stop syslog-ng to pring sensorsd-logging to messages.

ie

```

filter f_notsensord { not facility(local4); }; 

```

It seams to work.

----------

## magic919

Have a look at using 'final' as part of the config to stop the sensord messages going elsewhere.

----------

