<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>You don't need the filter
f_autres.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>Use flags(final) in the first two log() statements, which
means "if you take this path do not evaluate any subsequent ones".
</FONT></SPAN><SPAN class=503313617-16042009><FONT face=Arial color=#0000ff
size=2>That way, only messages that do not match the first two log()
statements will ever reach the third log() statement. </FONT></SPAN><SPAN
class=503313617-16042009><FONT face=Arial color=#0000ff size=2>In the third
log() statement you should have no filter because you want to log
everything that got this far.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>Joe.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<B>On Behalf Of </B>Julien Vermet<BR><B>Sent:</B> 16 April 2009
17:01<BR><B>To:</B> syslog-ng@lists.balabit.hu<BR><B>Subject:</B> [syslog-ng]
Regex and Syslog-ng<BR></FONT><BR></DIV>
<DIV></DIV>Hello<BR><BR>I have a problem with syslog-ng using match() in my
filters. Here is the part of my syslog-ng.cong:<BR><BR>"<BR>######<BR>#
sources<BR><BR># all known message sources<BR>source s_all
{<BR> file("/etc/syslog-ng/logtest"
follow_freq(1));<BR>};<BR><BR><BR>######<BR># destinations<BR><BR>destination
d_apache {<BR>file("/etc/syslog-ng/logapache");<BR>};<BR><BR>destination
d_system {<BR>file("/etc/syslog-ng/logsystem");<BR>};<BR><BR>destination
d_autres {<BR>file("/etc/syslog-ng/logautres");<BR>};<BR><BR>######<BR>#
filters<BR><BR>filter f_apache {<BR>match(apache);<BR>};<BR><BR>filter f_system
{<BR>match(system);<BR>};<BR><BR>filter f_autres
{<BR>match((?!apache));<BR>};<BR><BR><BR>######<BR># logs<BR><BR>log
{<BR>source(s_all);<BR>filter(f_apache);<BR>destination(d_apache);<BR>};<BR><BR>log
{<BR>source(s_all);<BR>filter(f_system);<BR>destination(d_system);<BR>};<BR><BR>log
{<BR>source(s_all);<BR>filter(f_autres);<BR>destination(d_autres);<BR>"<BR><BR>As
you can see, I want to search in lines if the string apache is present, if
system is present or if apache is not present. The first two filters are
OK, but the third doesn't work. Can you help me to solve the
problem?<BR><BR>Thanks.<BR></BODY></HTML>