# syslog-ng filtering

## Tatewaki

I have installed ntpd and it works great, but i don't like all the messages that i get in /var/log/messages i like to filter them out to another file so i have writen this in syslog-ng.conf

```

destination d_ntpd{ file ("/var/log/ntpd.log"); };

filter f_ntpd { match ("ntpd"); };

filter f_not_ntpd { not match ("ntpd"); };

log { source(src); filter (f_ntpd); destination (d_ntpd); };

log { source(src); filter (f_not_ntpd);destination(messages); };

```

It logs it all to /var/log/ntpd.log but it's also loged to /var/log/messages

What have i done wrong?

----------

## Centinul

This might help. I believe if you just append final to the log statement it will only log to that file and not messages.

```

#  final     This flag means that the processing of log statements ends 

#            here. Note that this doesn't necessarily mean that 

#            matching messages will be stored once, as they can be 

#            matching log statements processed prior the current one.

```

```

log {

source(local); filter(windows); destination(windows);

flags(final);

};

```

----------

## Tatewaki

Hmm that diden work maybe becuse i wrote it wrong here is how my conf file looks like:

```

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gen$#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        chain_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination d_shorewall{ file ("/var/log/shorewall.log"); };

filter f_shorewall { match ("Shorewall"); };

filter f_not_shorewall { not match ("Shorewall"); };

log { source(src); filter (f_shorewall); destination (d_shorewall); };

log { source(src); filter (f_not_shorewall);destination(messages); };

destination d_ntpd{ file ("/var/log/ntpd.log"); };

filter f_ntpd { match ("ntpd"); };

filter f_not_ntpd { not match ("ntpd"); };

log { source(src); filter (f_ntpd); destination (d_ntpd);

flags(final);

};

log { source(src); filter (f_not_ntpd);destination(messages);

flags(final);

};

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };

```

Is that as it should be?

----------

## wsmc884

I've setup a syslog server and I'm looking for a way to write each incoming IP connection to it's own separate file. Is this possible? If so how woudl I do it?

Thanks,

Robert

----------

## splooge

something like ...

source net { udp();  };

destination servername { file("/var/log/servername"); };

log ( source(net); destination(servername); };

I don't have it installed atm but you can get crafty and replace 'servername' with a variable (something like $HOSTNAME) that will automatically create a new file with the name of $HOSTNAME.

----------

## think4urs11

try with a destination like this

```
destination std { 

   file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/messages" 

   owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)

   ); 
```

creates on file per host inside a folder structure seperated per day

----------

## Matteo Azzali

 *Tatewaki wrote:*   

> Hmm that diden work maybe becuse i wrote it wrong here is how my conf file looks like:
> 
> ```
> 
> ......................
> ...

 

You have 3 log commands with destination(messages)!!!!!!!

1)First of all, comment out log command 3, this will send all messages to messages file.

2)Then I think the first line should point to another destination, eg: destination(m_not_shorewall)

to be "chained" from the subsequents log commands (usinf m_not_shorewall instead of src...)

OR

you will need some way to use the 2 filters in a single command

(something like: log { source(src); filter (f_not_shorewall,f_not_ntpd) ; destination(messages) }

or similar, you will need to read documentation as this is just ipothetical.....)

----------

## wsmc884

I have the sql working and I'm trying to add receiving logs from other servers as well.

options {

        chain_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

source net { udp(); };

destination messages { file("/var/log/messages"); };

destination $HOST { file("/var/log/ws/$HOST/$MONTH/messages" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };

log { source(net); destination($HOST); };

# pipe messages to /var/log/mysql.pipe to be processed by mysql

destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs

(host, facility, priority, level, tag, datetime, program, msg)

VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',

'$PROGRAM', '$MSG' );\n") template-escape(yes)); };

 log { source(src); destination(d_mysql); };

----------

## splooge

log { source(net); destination(d_mysql); };

----------

