Bug 170299 - sysutils/syslog-ng sample config does not work the way it claims to
Summary: sysutils/syslog-ng sample config does not work the way it claims to
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Cy Schubert
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-31 19:50 UTC by cwf-ml
Modified: 2018-01-12 04:36 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cwf-ml 2012-07-31 19:50:06 UTC
syslog-ng is a replacement for the BSD's syslog daemon with a few nifty security features.

Among the files it installs is a sample config, presumable tro be used as a template to build your configfrom.

The sample config claims to be an exact equivalent of FreeBSD's /etc/syslog.conf as distributed with the system. Unfortunately, this claim rests on erroneous understanding of syslog-ng's configuration language. The sample config is not only defective but actually misleads the user into false assumptions about syslog-ngs config semantic.

Here is the worst offender. The following block handles /var/log/messages. The filters used are all predefined elsewhere and essentially do what you would expect them to do based on their name. The commented header line displays the syslog.conf line it is supposed to replace.

# ---------------
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };
# ---------------

The problem here is that filters in a log statement are combined by AND, while consecutive log statements are essentially additive. 
The original syslogd, on the other hand, allows consecutive statements to modify their preceding, more general statements. 

The original line, for instance, meant "all lines notice-and-above, except authpriv, and also except any mail lines below crit and news lines below err. Furthermore everything from kern and info-and-above from lpr. ).

In the syslog-ng syntax, this is not reproduced. the nog statements for mail and news are NOPs. 

A similar problem exists with the /dev/console block.

Fix: 

There is no way in syslog-ng to work with simple atomar filters and combine them in a sequence of log lines to emulate the syslog.conf mechanism, as the author tries. You have to employ more complex filters.

I give an example. I assume the predefined atomar filters in the sample file are still there:

# -------------
filter f_msgntc { level(notice..emerg)
                    and not  facility(authpriv)
                    and not (facility(mail) and level(notice..err))
                    and not (facility(news) and level(notice..warning))
                  ; };
#
log { source(src); filter(f_msgntc); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
# -------------

You also need to use a similar fix with the /dev/console block
How-To-Repeat: install syslog-ng
move /usr/local/etc/syslog-ng.conf.sample to /usr/local/etc/syslog-ng.conf
activate syslog-ng in /etc/rc.conf
deactivate system syslogd and start syslog-ng

test classes like mail.err or news.warning via logger(1)
Comment 1 Edwin Groothuis freebsd_committer 2012-08-01 04:51:30 UTC
Responsible Changed
From-To: freebsd-ports-bugs->cy

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Carlo Strub freebsd_committer 2014-09-11 19:59:50 UTC
Is this PR still relevant?
Comment 3 Walter Schwarzenfeld freebsd_triage 2018-01-12 04:18:20 UTC
Same question: Is it still relevant.
Comment 4 Cy Schubert freebsd_committer 2018-01-12 04:36:42 UTC
Probably best to check with our upline.