I'm getting log messages written to multiple files. Apache log messages are caught by a custom filter I've added (because I'd like them in their own set of files) - but the user filter also catches those messages and writes the to a user.x.log. I'd like the user filter to catch anything that isn't being logged elsewhere.
Do I need to write a filter that excludes Apache messages? That would be a hassle - as I add more specialized configurations, I'd have to keep coming back to exclude it form the user filter.
The relevant portions of syslog-ng.conf (I believe):
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
udp();
tcp(ip("10.102.123.30") port(5140) keep-alive(yes));
};
destination df_user {
file("/var/log/HOSTS/$HOST/$R_YEAR/$R_MONTH/user.$R_DAY.log"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no));
};
destination df_apache {
file("/var/log/HOSTS/$HOST/apache/$R_YEAR/$R_MONTH/$LEVEL.$R_DAY.log"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no));
};
filter f_apache {
match("apache_com");
};
filter f_user { facility(user); };
log {
source(s_all);
filter(f_apache);
destination(df_apache);
};
log {
source(s_all);
filter(f_user);
destination(df_user);
};
[EDIT] Found my answer: I needed the flags(final); directive in the log config. When using the final directive, the order of log statements matters ...