Excluindo algumas mensagens do syslog-ng

2

Estou tentando excluir o registro de algumas mensagens pelo syslog-ng, como essa entrada de log do LDAP:

Sep 18 15:18:34 myserver slapd[9682]: conn=1043 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text=

Eu tenho este filtro syslog-ng que estou tentando usar para filtrar essas mensagens:

 filter f_not_ldap { not match("slapd" value(PROGRAM)); };
 log { source(s_udp); filter(f_not_asa); filter(f_not_dbg); filter(f_not_ldap); destination(d_messages); destination(d_logserver); };

Mas essas entradas slapd ainda estão indo para o meu servidor de log remoto. Alguém pode me dizer o que estou fazendo errado? O que mais eu preciso fazer para filtrar essas entradas slapd?

Obrigado antecipadamente.

Edit: Aqui está todo o arquivo syslog-ng.conf:

@version: 3.3
@include "scl.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
      owner("root"); group("adm"); perm(0640); stats_freq(0);
      bad_hostname("^gconfd$");
};

########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
       system();
       internal();
};

# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
#source s_net { tcp(ip(127.0.0.1) port(1000) authentication(required) encrypt(allow)); };

########################
# Destinations
########################
# First some standard logfile
#
destination d_auth { file("/var/log/auth.log"); };
destination d_cron { file("/var/log/cron.log"); };
destination d_daemon { file("/var/log/daemon.log"); };
destination d_kern { file("/var/log/kern.log"); };
destination d_lpr { file("/var/log/lpr.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_syslog { file("/var/log/syslog"); };
destination d_user { file("/var/log/user.log"); };
destination d_uucp { file("/var/log/uucp.log"); };

# This files are the log come from the mail subsystem.
#
destination d_mailinfo { file("/var/log/mail/mail.info"); };
destination d_mailwarn { file("/var/log/mail/mail.warn"); };
destination d_mailerr { file("/var/log/mail/mail.err"); };

# Logging for INN news system
#
destination d_newscrit { file("/var/log/news/news.crit"); };
destination d_newserr { file("/var/log/news/news.err"); };
destination d_newsnotice { file("/var/log/news/news.notice"); };

# Some 'catch-all' logfiles.
#
destination d_debug { file("/var/log/debug"); };
destination d_error { file("/var/log/error"); };
destination d_messages { file("/var/log/messages"); };

# The root's console.
#
destination d_console { usertty("root"); };

# Virtual console.
#
destination d_console_all { file("/dev/tty10"); };

# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
# you must invoke nsole' with the -file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
destination d_xconsole { pipe("/dev/xconsole"); };

# Send the messages to an other host
#
#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };

# Debian only
destination d_ppp { file("/var/log/ppp.log"); };

########################
# Filters
########################
# Here's come the filter options. With this rules, we can set which 
# message go where.

filter f_dbg { level(debug); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_err { level(err); };
filter f_crit { level(crit .. emerg); };

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
filter f_error { level(err .. emerg) ; };
filter f_messages { level(info,notice,warn) and 
                    not facility(auth,authpriv,cron,daemon,mail,news); };

filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
filter f_cron { facility(cron) and not filter(f_debug); };
filter f_daemon { facility(daemon) and not filter(f_debug); };
filter f_kern { facility(kern) and not filter(f_debug); };
filter f_lpr { facility(lpr) and not filter(f_debug); };
filter f_local { facility(local0, local1, local3, local4, local5,
                        local6, local7) and not filter(f_debug); };
filter f_mail { facility(mail) and not filter(f_debug); };
filter f_news { facility(news) and not filter(f_debug); };
filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
filter f_user { facility(user) and not filter(f_debug); };
filter f_uucp { facility(uucp) and not filter(f_debug); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

filter f_ppp { facility(local2) and not filter(f_debug); };
filter f_console { level(warn .. emerg); };

########################
# Log paths
########################
log { source(s_src); filter(f_auth); destination(d_auth); };
log { source(s_src); filter(f_cron); destination(d_cron); };
log { source(s_src); filter(f_daemon); destination(d_daemon); };
log { source(s_src); filter(f_kern); destination(d_kern); };
log { source(s_src); filter(f_lpr); destination(d_lpr); };
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_src); filter(f_user); destination(d_user); };
log { source(s_src); filter(f_uucp); destination(d_uucp); };

log { source(s_src); filter(f_mail); destination(d_mail); };
#log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
#log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
#log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };

log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
#log { source(s_src); filter(f_cnews); destination(d_console_all); };
#log { source(s_src); filter(f_cother); destination(d_console_all); };

#log { source(s_src); filter(f_ppp); destination(d_ppp); };

log { source(s_src); filter(f_debug); destination(d_debug); };
log { source(s_src); filter(f_error); destination(d_error); };
log { source(s_src); filter(f_messages); destination(d_messages); };

log { source(s_src); filter(f_console); destination(d_console_all);
                                destination(d_xconsole); };
log { source(s_src); filter(f_crit); destination(d_console); };

# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };

# = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 
# HMS customizations
# = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 

source s_udp { udp(ip(0.0.0.0) port(514)); };

destination d_fw_log { file("/var/log/asa-fw.log"); };
destination d_logserver { tcp("log1.mycompany.com"); };
destination d_hulkserver { tcp("hulk.mycompany.com"); };


filter f_is_asa { host("10.100.10.1$") or host ("10.100.10.2$"); or host ("10.100.10.14$"); };
filter f_not_asa { not (host("10.100.10.1$") or host ("10.100.10.2$"); or host ("10.100.10.14$")); };
filter f_not_dbg { not level(debug); };


# incoming nNon-firewall non-ldap logs go to messages file and log1
log { source(s_udp); filter(f_not_asa); filter(f_not_dbg); filter(f_not_ldap); destination(d_messages); destination(d_hulkserver); destination(d_logserver); };


# incoming firewall logs go to separate file (and log1).
#log { source(s_udp); filter(f_is_asa); destination(d_fw_log); destination(d_logserver); };
# Actually, just send the ASA logs to a file, not log1 - jwr 20130904
log { source(s_udp); filter(f_is_asa); destination(d_fw_log); };

# send a copy of all local stuff to log1
log { source(s_src); destination(d_logserver); };

# added for ldap logging
destination d_ldap { file("/var/log/ldap.log"); };
filter f_ldap { facility(local4); };
filter f_not_ldap { not match("slapd" value(PROGRAM)); };
log { source(s_src); filter(f_ldap); destination(d_ldap); };


###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/"
    
por ricksebak 18.09.2013 / 21:33

1 resposta

2

Era a linha 184. Eu mudei de:

log { source(s_src); destination(d_logserver); };

para

log { source(s_src); filter(f_not_ldap); destination(d_logserver); };

E agora os logs do LDAP não estão mais indo para o meu servidor de log, então isso está corrigido agora.

    
por 19.09.2013 / 18:06