views:

225

answers:

0

I'm getting log messages written to multiple files. Apache log messages are caught by a custom filter I've added (because I'd like them in their own set of files) - but the user filter also catches those messages and writes the to a user.x.log. I'd like the user filter to catch anything that isn't being logged elsewhere.

Do I need to write a filter that excludes Apache messages? That would be a hassle - as I add more specialized configurations, I'd have to keep coming back to exclude it form the user filter.

The relevant portions of syslog-ng.conf (I believe):

source s_all {
  # message generated by Syslog-NG
  internal();
  # standard Linux log source (this is the default place for the syslog()
  # function to send logs to)
  unix-stream("/dev/log");
  # messages from the kernel
  file("/proc/kmsg" log_prefix("kernel: "));
  # use the following line if you want to receive remote UDP logging messages
  # (this is equivalent to the "-r" syslogd flag)
  udp();
  tcp(ip("10.102.123.30") port(5140) keep-alive(yes));
};
destination df_user {
  file("/var/log/HOSTS/$HOST/$R_YEAR/$R_MONTH/user.$R_DAY.log"
  template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
  template_escape(no));
};
destination df_apache {
  file("/var/log/HOSTS/$HOST/apache/$R_YEAR/$R_MONTH/$LEVEL.$R_DAY.log"
  template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
  template_escape(no));
};
filter f_apache {
  match("apache_com");
};
filter f_user { facility(user); };
log {
  source(s_all);
  filter(f_apache);
  destination(df_apache);
};
log {  
  source(s_all);
  filter(f_user);
  destination(df_user);
};

[EDIT] Found my answer: I needed the flags(final); directive in the log config. When using the final directive, the order of log statements matters ...