# Syslog-ng 3.x and the Gentoo template conf-file errors

## Kattsand

Code Listing 4.1: /etc/syslog-ng/syslog-ng.conf seems a little bit outdated (url: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=3#doc_chap4)

The result after implementation:

```

meow syslog-ng # /etc/init.d/syslog-ng restart

Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file;

WARNING: global: the default value of chain_hostnames is changing to 'no' in version 3.0, please update your configuration accordingly;

Your configuration file uses an obsoleted keyword, please update your configuration; keyword='sync', change='flush_lines'

WARNING: input: sources do not remove new-line characters from messages by default in version 3.0, please add 'no-multi-line' flag to your configuration if you want to retain this functionality;

WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg;

WARNING: template: the default value for template-escape is changing to 'no' in version 3.0, please update your configuration file accordingly;

syntax error in /etc/syslog-ng/syslog-ng.conf at line 9.

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng

mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

 * Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf)     [ !! ]
```

These 2 lines generates config error when starting/restarting syslog-ng 3.x:

```
destination syslog { file("/var/log/syslog"); };

log { source(src); filter(f_syslog); destination(syslog); };

```

Fixed some of the issues but dont know how to fix the match() warning:  "WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;"

```
filter f_failed { match("failed"); value(???); };

filter f_denied { match("denied"); value(???); };
```

What parameter should value() take?

any help appreciated.

----------

## iss

I'm not sure if this is 100% correct but I have it in my config and I think it works ok.

```
filter f_failed { match("failed" value("MESSAGE")); };

filter f_denied { match("denied" value("MESSAGE")); };
```

Supported values are:

```
"HOST"

"HOST_FROM"

"MESSAGE"

"PROGRAM"

"PID"

"MSGID"

"SOURCE"
```

I think this is a post in which I've found it when my syslog broke after upgrade to version 3 - https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012789.html

----------

## mack1

Hi, this is mine syslog.cong:

```

@version: 3.0

options {

        chain_hostnames(no);

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

source src { unix-stream("/dev/log"); internal(); };

source kernsrc { file("/proc/kmsg"); };

#define destinations

destination authlog { file("/var/log/auth.log"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); };

destination kernel_all { file("/dev/tty11"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

destination xconsole { pipe("/dev/xconsole"); };

destination firewall { file("/var/log/firewall.log"); };

#create filters

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_failed { message("failed"); };

filter f_denied { message("denied"); };

filter f_firewall { message("FW:"); };

#connect filter and destination

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(kernsrc); filter(f_firewall); destination(firewall); };

log { source(src); destination(kernel_all); };

log { source(kernsrc); destination(console_all); };

```

 *Quote:*   

> 
> 
> destination syslog { file("/var/log/syslog"); };
> 
> log { source(src); filter(f_syslog); destination(syslog); };
> ...

 

Remove them,add "@version: 3.0" to syslog.conf and replace the filter "match" with "message"......also check the line that contains "stats_freq" if it is correct.... there was a syntax change with syslog-3.xxx  :Rolling Eyes:  .

I hope this help  :Wink:  .

Cheers

----------

