Home / server / Questions / 680167
In Process
Peter Turner
Asked: 2015-04-03 13:09:56 +0800 CST

How are filters combined in syslog-ng?

  • 772

If I've got an entry in syslog-ng 

log {
  source (src);
  filter (filter1);
  filter (filter2);
  filter (filter3);
  filter (filter4);
  destination (all_log)
 }

And, say filter4 is a very permissive filter and filter3 is a filter to eradicate a couple irksome hosts. If filter2 and/or filter1 allow one of those irksome hosts, will it get logged?

logging

1 Answers

  1. From the syslog-ng administrators guide (v 2.0, which is old, but what you're using)

    When a log statement includes multiple filter statements, syslog-ng sends a message to the destination only if all filters are true for the message. In other words, the filters are connected with the logical AND operator. In the following example, no message arrives to the destination, because the filters are exclusive (the hostname of a client cannot be example1 and example2 at the same time).

    So that makes sense, it would be way too complicated and undocumented if it worked any other way. So you're going to have to find some other way of accomplishing what you're trying to do!

    It looks like, in general, the way you would want to exclude a host is to use not host('HOSTNAME') or (host('HOSTNAME') and level(...) ) as your filter.

    • 6