<div dir="ltr">I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible).<br><br>So there is no way to filtre an empty program attribute?<br><br>
thanks.<br><br><div class="gmail_quote">2008/8/28 concatenate <span dir="ltr"><<a href="mailto:infosec@gmail.com">infosec@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr"><div><div></div><div class="Wj3C7c">On Thu, Aug 28, 2008 at 8:17 AM, G R <span dir="ltr"><<a href="mailto:ng.syslogng@gmail.com" target="_blank">ng.syslogng@gmail.com</a>></span> wrote:<br></div></div>
<div class="gmail_quote"><div><div></div><div class="Wj3C7c"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr">Hi!<br><br>I'm trying to filter some logs that have no program field.<br>kind of "logger -t '' " logs.<br><br>I've try to use <br>program(""); <br>or <br>program(NULL);<br>
as filter but none of them works.<br><br>How can I filter this empty program field logs ?<br></div></blockquote></div></div><div><br>I would look for some other attributes of the messages. If you can't add the program field, and nothing else about the messages are unique, you might be in trouble.<br>
<br>As a last resort I've made particular hosts or types of devices (UNIX vs. network devices) send to different ports or IPs on the syslog box, then my source has an entirely different subset of messages. Perhaps that is an option.<br>
</div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br></div>