[lug] Syslog woes

[Hugh Brown]

Daniel Webb wrote:
> On Wed, Dec 13, 2006 at 06:05:47PM -0700, David L. Anselmi wrote:
> 
>>> *.*;auth,authpriv.none;mail.error       -/var/log/syslog
>>> 1) What am I missing here?
>> Try mail.none rather than mail.error.
> 
> But I still want mail messages with error and worse to show up in syslog.
>>From my reading of man 5 syslog.conf there is a bug in syslog, but every time
> I think that about one of the more complex old-time Unix services I end up
> filing what turns out to be a frivolous bug report which gets embarassing
> after a while.   :<
> 
> Specifically, from man 5 syslog.conf:
> 
> ----
>  Multiple  selectors  may be specified for a single action using the semicolon
> (``;'') separator.  Remember that each selector in the selector field is
> capable to overwrite the preceding ones.  Using this behavior you can exclude
> some priorities from the pattern.
> ----
> 
> So shouldn't get last "mail.error" override the previous settings for mail?
> 

I'm not an expert by any stretch.  Based on my reading of the man page, 
you'd need to exclude and then include.

So *.* implicitly says log all mail.* to /var/log/syslog  The semi-colon 
says "if negation follows, give it precedence."  Negation seems to be 
done via "none" as the priority or !<priority>. So as far as mail is 
concerned, you've told it

mail.*;mail.err

which seems to be, log all mail and log mail at error or higher.

I just tested this line (on a debian sarge box):

*.*;auth,authpriv.none;mail.none;mail.error       -/var/log/syslog

and then used

logger -p mail.err "test of mail.err"
logger -p mail.info "test of mail.info"

The first went to /var/log/syslog, the second didn't.

You could probably shorten it to:

*.*;auth,authpriv,mail.none;mail.err    -/var/log/syslog

Hugh