another time help with syslog-ng

Linux and Unix-Like SuSE
1

Hi @ all,
there�s another problem which I have with syslog-ng, perhaps somebody have a solution:
We�ve a server which sent his messages-log to another Server - worked well with ... destination logserver ... and so on.
in the /var/log/messages there�s every 5 minutes an entry like this

...
Sep 10 16:20:01 Servername sshd[25721]: Accepted publickey for user from 123.12.123.123 port 47936 ssh2
...

Because I get rid of these messages I tried to filter it out with syslog-ng.

What I want:
the messages above should be written in a seperate logfile, and the 1-hourly-syslog-status-message from syslog himself

Sep 11 12:12:26 Servername syslog-ng[18531]: Log statistics; dropped='udp(AF_INET(123.12.123.12:514))=0', processed='ce
nter(queued)=71', processed='center(received)=30', processed='destination(messages)=24', processed='destination(mailinfo)=0
', processed='destination(mailwarn)=0', processed='destination(logserver)=30', processed='destination(localmessages)=0', pr
ocessed='destination(mailerr)=0', processed='destination(newserr)=0', processed='destination(netmgm)=0', processed='destina
tion(warn)=0', processed='destination(console)=0', processed='destination(null)=0', processed='destination(mail)=0', proces
sed='destination(xconsole)=0', processed='destination(firewall)=0', processed='destination(f_publickey)=17', processed='des
tination(acpid)=0', processed='destination(newscrit)=0', processed='destination(newsnotice)=0', processed='source(src)=30'

should be written still in /var/log/messages;
furthermore the Server should sent his messages to a Log-Server but of course without the "publickey" messages, but within the syslog-ng-status-messages
I tried many versions of configuring the syslog-ng.conf but none of them worked well.
Here�re the lines in my syslog-ng.conf:

...
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter("publickey"); };
...
#Filter f_publickey
filter f_publickey { match("publickey"); };
...
# Logfile for publickey-messages
destination publickey { file("/var/log/publickey"); };
log { source(src); filter(f_publickey); destination(publickey); };

but unfortunately it didn�t work -
either the "publickey"-messages will be written together with the syslog-status-message in my defined file or the seperate file keeps empty.

Could anybody told me, where�s my mistake or is there perhaps another solution possible?
Thanks for answers

2

Hi!

The best way to achieve this, in my opinion, is something along these lines:

filter f_sshd_accepted { program("sshd") and match("publickey"); }
destination publickey { file("/var/log/publickey"); };

log { 
 source(src); filter(f_sshd_accepted); destination(publickey);
 flags(final);
};

The extra tick is the flags(final) part, which tells syslog-ng that if a message ends up routed to that logpath, it will not arrive to others. Without this, a message will end up on all logpaths that do not filter it out.

Hope that helps!

3

Hi,
thanks a lot for this ... it works, for the "publickey"-messages .- they�ll be filtered out,
but unfortunately the syslog-status-messages will not be forwarded to the Log-Server.
Do you have an idea why not?

4

Probably because it's not in the appropriate log path. Can you show the whole config?

5

Hi,

here�s the full conf-file