* [gentoo-user] syslog-ng: filter plugin NOT not found ????
@ 2020-12-16 3:44 Dan Egli
2020-12-16 12:31 ` Todd Goodman
0 siblings, 1 reply; 5+ messages in thread
From: Dan Egli @ 2020-12-16 3:44 UTC (permalink / raw
To: gentoo-user
Help me understand this, please? I have ISC dhcpd configured to log to
syslog.local7 (since I don't see an option to force it into it's own log
file). So I went into my syslog-ng file and created two filters, just
like on the example page of syslog-ng.com:
filter dhcpmsgs { facility(23) );
filter non_dhcp { NOT filter(dhcpmsgs) )
I quoted almost directly from the example page on syslog-ng.com, but I
keep getting this error when I reload syslog-ng's config:
Error parsing filter expression, filter plugin NOT not found OR you may
not used double quotes in your filter expression in
/etc/syslog-ng/syslog-ng.conf:25:18-25:21:
What did I do wrong? Here's the lines I modified from the syslog-ng page:
filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
filter inverted_demo_filter { NOT filter(demo_filter) }
You can see the page at:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
--
Dan Egli
From my Test Server
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
2020-12-16 3:44 [gentoo-user] syslog-ng: filter plugin NOT not found ???? Dan Egli
@ 2020-12-16 12:31 ` Todd Goodman
2020-12-16 17:30 ` David Haller
2020-12-16 19:24 ` Dan Egli
0 siblings, 2 replies; 5+ messages in thread
From: Todd Goodman @ 2020-12-16 12:31 UTC (permalink / raw
To: gentoo-user
I think you need a semi-colon inside and after the right curly brace ('}')
You right braces are parentheses and not right curly braces too (maybe a
cut and paste issue?)
FWIW, the following is what I use to separate my mail logs out and it works:
destination messages { file("/var/log/messages"); };
destination maillog { file("/var/log/maillog"); };
filter f_mail { facility(mail); };
filter f_messages { not facility(mail); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_messages); destination(messages); };
On 12/15/2020 10:44 PM, Dan Egli wrote:
> Help me understand this, please? I have ISC dhcpd configured to log
> to syslog.local7 (since I don't see an option to force it into it's
> own log file). So I went into my syslog-ng file and created two
> filters, just like on the example page of syslog-ng.com:
>
> filter dhcpmsgs { facility(23) );
> filter non_dhcp { NOT filter(dhcpmsgs) )
>
> I quoted almost directly from the example page on syslog-ng.com, but I
> keep getting this error when I reload syslog-ng's config:
> Error parsing filter expression, filter plugin NOT not found OR you
> may not used double quotes in your filter expression in
> /etc/syslog-ng/syslog-ng.conf:25:18-25:21:
>
> What did I do wrong? Here's the lines I modified from the syslog-ng page:
> filter demo_filter { host("example") and match("deny"
> value("MESSAGE")) };
> filter inverted_demo_filter { NOT filter(demo_filter) }
>
> You can see the page at:
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/53
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
2020-12-16 12:31 ` Todd Goodman
@ 2020-12-16 17:30 ` David Haller
2020-12-16 19:30 ` Dan Egli
2020-12-16 19:24 ` Dan Egli
1 sibling, 1 reply; 5+ messages in thread
From: David Haller @ 2020-12-16 17:30 UTC (permalink / raw
To: gentoo-user
Hello,
On Wed, 16 Dec 2020, Todd Goodman wrote:
>I think you need a semi-colon inside and after the right curly brace ('}')
>
>You right braces are parentheses and not right curly braces too (maybe a cut
>and paste issue?)
>
>FWIW, the following is what I use to separate my mail logs out and it works:
>
>destination messages { file("/var/log/messages"); };
>destination maillog { file("/var/log/maillog"); };
>
>filter f_mail { facility(mail); };
>filter f_messages { not facility(mail); };
>
>log { source(src); filter(f_mail); destination(maillog); };
>log { source(src); filter(f_messages); destination(messages); };
>
>On 12/15/2020 10:44 PM, Dan Egli wrote:
>> Help me understand this, please? I have ISC dhcpd configured to log to
>> syslog.local7 (since I don't see an option to force it into it's own log
>> file). So I went into my syslog-ng file and created two filters, just
>> like on the example page of syslog-ng.com:
>>
>> filter dhcpmsgs { facility(23) );
>> filter non_dhcp { NOT filter(dhcpmsgs) )
Also, where's that '23' coming from? Shouldn't that be
filter dhcpmsgs { facility(local7); };
HTH,
-dnh
--
printk(KERN_DEBUG "%s: Flex. Ttttt...\n", DRV_NAME);
linux-2.6.6/drivers/net/wan/dscc4.c
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
2020-12-16 12:31 ` Todd Goodman
2020-12-16 17:30 ` David Haller
@ 2020-12-16 19:24 ` Dan Egli
1 sibling, 0 replies; 5+ messages in thread
From: Dan Egli @ 2020-12-16 19:24 UTC (permalink / raw
To: gentoo-user
Well, I'm starting to make progress. But something isn't right. I found
out the plugin error was due to the fact that despite syslog-ng.com
showing the reversal as NOT, the actual statement is not (all lower case
vs all upper case). So that means that syslog-ng loads just fine. But I
can't get the dhcp output to where I want it. If I have the syslog
facility in dhcpd turned on, or if I redirect the output to a file in
systemd, then I get dhcpd messages in the file AND in the syslog itself
(/var/log/messages). No matter what I try, the dhcpd output ALWAYS goes
to syslog. I can get it to go to a separate file TOO, but not ONLY.
Here's the entire syslog-ng.conf and the service file for dhcpd.
Hopefully you guys can figure something out I missed:
(dhcpd4.service)
[Unit]
Description=DHCPv4 Server Daemon
Documentation=man:dhcpd(8) man:dhcpd.conf(5)
After=network.target
After=time-sync.target
After=network-online.target
Wants=network-online.target
StandardOut=null
StandardError=null
[Service]
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcp -group
dhcp --no-pid
[Install]
WantedBy=multi-user.target
With everyhing going to null, you'd think that with the syslog statement
in dhcpd.conf disabled, I'd get no log at all. But I still get the log
in /var/log/messages. Here's syslog-ng.conf:
@version: 3.26
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
filter dhcpfilter { facility(local7); };
filter nondhcp { not filter(dhcpfilter); };
source src { system(); internal(); };
destination messages { file("/var/log/messages"); };
destination dhcplog { file("/var/log/dhcpd.log"); };
destination console_all { file("/dev/tty12"); };
log { source(src); filter(nondhcp); destination(messages); };
log { source(src); destination(console_all); };
log { source(src); filter(dhcpfilter); destination(dhcplog); };
And for what it's worth, here's my dhcpd.conf:
default-lease-time 3600;
max-lease-time 43200;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
authoritative;
# log-facility local7;
allow booting;
subnet 10.0.2.0 netmask 255.255.255.0 {
# no services at all!
}
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.128 192.168.10.254;
if exists user-class and option user-class = "iPXE" {
filename "pxelinux.efi";
} else {
filename "pxelinux.0";
}
next-server 192.168.10.3;
option domain-name-servers 192.168.10.2, 8.8.8.8;
option domain-name "eglifamily.name";
option routers 192.168.10.1;
}
host testbox-1 {
hardware ethernet 08:00:27:D5:AA:3C;
fixed-address 192.168.10.64;
option host-name "testbox-1";
ddns-hostname "testbox-1.eglifamily.name";
}
--
Dan Egli
From my Test Server
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] syslog-ng: filter plugin NOT not found ????
2020-12-16 17:30 ` David Haller
@ 2020-12-16 19:30 ` Dan Egli
0 siblings, 0 replies; 5+ messages in thread
From: Dan Egli @ 2020-12-16 19:30 UTC (permalink / raw
To: gentoo-user
23 is the hard coded constant for local7. They are identical.
facility(23) and facility(local7) mean the exact same thing.
On 12/16/2020 10:30 AM, David Haller wrote:
> Hello,
>
> On Wed, 16 Dec 2020, Todd Goodman wrote:
>> I think you need a semi-colon inside and after the right curly brace ('}')
>>
>> You right braces are parentheses and not right curly braces too (maybe a cut
>> and paste issue?)
>>
>> FWIW, the following is what I use to separate my mail logs out and it works:
>>
>> destination messages { file("/var/log/messages"); };
>> destination maillog { file("/var/log/maillog"); };
>>
>> filter f_mail { facility(mail); };
>> filter f_messages { not facility(mail); };
>>
>> log { source(src); filter(f_mail); destination(maillog); };
>> log { source(src); filter(f_messages); destination(messages); };
>>
>> On 12/15/2020 10:44 PM, Dan Egli wrote:
>>> Help me understand this, please? I have ISC dhcpd configured to log to
>>> syslog.local7 (since I don't see an option to force it into it's own log
>>> file). So I went into my syslog-ng file and created two filters, just
>>> like on the example page of syslog-ng.com:
>>>
>>> filter dhcpmsgs { facility(23) );
>>> filter non_dhcp { NOT filter(dhcpmsgs) )
> Also, where's that '23' coming from? Shouldn't that be
>
> filter dhcpmsgs { facility(local7); };
>
> HTH,
> -dnh
>
--
Dan Egli
From my Test Server
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-16 19:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-16 3:44 [gentoo-user] syslog-ng: filter plugin NOT not found ???? Dan Egli
2020-12-16 12:31 ` Todd Goodman
2020-12-16 17:30 ` David Haller
2020-12-16 19:30 ` Dan Egli
2020-12-16 19:24 ` Dan Egli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox