<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Your first
line should be working. Not sure why it is not.<br>
However you can try using: not message('Audit daemon rotating log
files' flags('ignore-case'))<br>
Simpler and does exactly what your old config did.<br>
</font></font><br>
Sent: Mon Sep 20 2010 17:32:13 GMT-0600 (Mountain Daylight Time)<br>
From: Worsham, Michael <a class="moz-txt-link-rfc2396E" href="mailto:mworsham@SCIRES.COM"><mworsham@SCIRES.COM></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?
<blockquote cite="mid:60F35DDF-7C00-4A6D-99D9-1602D63A0FE2@mimectl"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<style>.EmailQuote {
BORDER-LEFT: #800000 2px solid; PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt
}
</style>
<style title="owaParaStyle"><!--P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
<div dir="ltr"><font color="#000000" face="Tahoma" size="2">Okay,
maybe I am not making it clear enough on what it is I am trying to do...</font></div>
<div dir="ltr"> </div>
<div dir="ltr">
<div dir="ltr"><font face="Tahoma" size="2">In the older syslong-ng
v2.1, this line works perfectly:</font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="Tahoma" size="2">filter M_audit { not
match("Audit daemon rotating log files"); };</font></div>
</div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="Tahoma" size="2">Under 3.0.8, none of the
following are working (if added one line at a time) and the daemon
restarted:</font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="tahoma" size="2">filter M_audit { not
match("Audit daemon rotating log files" value("MSGONLY")
flags(ignore-case)); };</font></div>
<div dir="ltr">
<div dir="ltr"><font face="tahoma" size="2">filter M_audit { not
match("MSGONLY" value("Audit daemon rotating log files")
flags(ignore-case)); };</font></div>
</div>
<div dir="ltr"><font face="tahoma" size="2">
<div dir="ltr"><font face="tahoma" size="2">filter M_audit { not
match("Audit daemon rotating log files" value(MSGONLY)
<font face="Tahoma" size="2">flags(ignore-case)</font>); };</font></div>
<div dir="ltr"><font face="tahoma">
<div dir="ltr"><font face="tahoma" size="2">filter M_audit { not
match("Audit daemon rotating log files" value(MSGONLY)); };</font></div>
<div dir="ltr">
<div dir="ltr"><font face="tahoma" size="2">filter M_audit { not
match("MSGONLY" value("Audit daemon rotating log files")); };</font></div>
</div>
</font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="tahoma">What I am looking to do is if any
incoming data has the following "<font face="Tahoma" size="2">Audit
daemon rotating log files" message being detected, it should be
filtered (i.e. dropped), and then not show up in the actual message log
file. </font></font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="tahoma"><font face="Tahoma" size="2">For
example, if I go over on the syslog-ng client and do 'logger daemon':
</font></font></div>
<div dir="ltr"><font face="tahoma"><font face="Tahoma" size="2"><font
face="tahoma"> -
</font>The older v2.1 syslog-ng server drops the message. <-- This
is correct</font></font></div>
<div dir="ltr"><font face="tahoma"><font face="Tahoma" size="2"><font
face="tahoma"> -
</font>On the v3.0.8, the message passes through and found in
the data file. <-- This is incorrect</font></font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="tahoma"><font face="Tahoma" size="2">Since
the above methods aren't working, I am asking here "w</font></font><font
face="tahoma"><font face="Tahoma" size="2">hat would be the best way
of going about this as it seems my original filtering lines from
v2.1 no longer work".</font></font></div>
<div dir="ltr"> </div>
<div dir="ltr"><font face="tahoma">-- Michael</font></div>
</font></div>
<div dir="ltr"> </div>
<div style="direction: ltr;" id="divRpF623702">
<hr tabindex="-1"><font color="#000000" face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [<a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>]
On Behalf Of Alan McKinnon [<a class="moz-txt-link-abbreviated" href="mailto:Alan.McKinnon@is.co.za">Alan.McKinnon@is.co.za</a>]<br>
<b>Sent:</b> Monday, September 20, 2010 6:52 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
<b>Subject:</b> Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
</font><br>
</div>
<font size="2">
<div class="PlainText">Your "value" is wrong. It's a variable name,
not a literal string, so you use
<br>
it like this:<br>
<br>
value(MSGONLY) <br>
<br>
or the cleaner version<br>
<br>
value(${MSGONLY})<br>
<br>
It works like a bash variable in this regard<br>
<br>
<br>
<br>
On Tuesday 21 September 2010 00:30:06 Worsham, Michael wrote:<br>
> Well I tried the following two lines and neither one works:<br>
> <br>
> filter M_audit { not match("Audit daemon rotating log files"<br>
> value("MSGONLY") flags(ignore-case)); }; Incoming log entry;
line='<13>Sep<br>
> 20 18:26:19 drupal root: daemon' Filter rule evaluation begins;<br>
> filter_rule='M_audit'<br>
> No such value known; value='MSGONLY'<br>
> filter M_audit { not match("MSGONLY" value("Audit daemon rotating
log<br>
> files") flags(ignore-case)); }; Incoming log entry;
line='<13>Sep 20<br>
> 18:16:15 drupal root: daemon' Filter rule evaluation begins;<br>
> filter_rule='M_audit'<br>
> No such value known; value='Audit daemon rotating log files'<br>
> WTF am I doing wrong and please quit quoting URLs to look at.<br>
> <br>
> -- M<br>
> <br>
> <br>
> ________________________________<br>
> From: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a><br>
> [<a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>] On Behalf Of Matthew Hall<br>
> [<a class="moz-txt-link-abbreviated" href="mailto:mhall@mhcomputing.net">mhall@mhcomputing.net</a>] Sent: Monday, September 20, 2010 6:12 PM<br>
> To: Syslog-ng users' and developers' mailing list<br>
> Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
> <br>
> On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:<br>
> > No such value known; value='Audit daemon rotating log files'<br>
> > No such value known; value='last message repeated'<br>
> > No such value known; value='Log statistics'<br>
> <br>
> I believe this output indicates you have the incorrect information
in<br>
> the value argument. The value argument is supposed to be used to<br>
> indicate which message macro should be checked for the string or
regex<br>
> in question.<br>
> <br>
> So you probably want the value argument to be one of these:<br>
> <br>
> <a moz-do-not-send="true"
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gui"
target="_blank">
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gui</a><br>
> de-admin-en.html/reference_macros.html<br>
> <br>
> Matthew.<br>
> <br>
> The most interesting ones for your application would be the ones
below.<br>
> <br>
> Consider using an output template which outputs the value in each
macro,<br>
> so you can see which macro you should be matching for each of your<br>
> filter rules.<br>
> <br>
> For example, if you output messages with this template, you would
see<br>
> the value in the MSGONLY macro. You could use a longer version of
this<br>
> to print out all the macros and figure out which should be used
for the<br>
> different matches you are trying to perform.<br>
> <br>
> template t_raw {<br>
> template("${MSGONLY}\n");<br>
> };<br>
> <br>
> <br>
> MSG or MESSAGE<br>
> Description: Text contents of the log message without the program
name<br>
> and pid. Note that this has changed in syslog-ng version 3.0; in
earlier<br>
> versions this macro included the program name and the pid. In
syslog-ng<br>
> 3.0, the MSG macro became equivalent with the MSGONLY macro. The
program<br>
> name and the pid together are available in the MSGHDR macro.<br>
> <br>
> MSGHDR<br>
> Description: The name and the pid of the program that sent the log<br>
> message in PROGRAM: PID format. Includes a trailing whitespace.
Note<br>
> that the macro returns an empty value if both the program and pid
fields<br>
> of the message are empty.<br>
> <br>
> MSGONLY<br>
> Description: Message contents without the program name or pid.<br>
> <br>
> PROGRAM<br>
> <br>
> Description: The name of the program sending the message. Note
that the<br>
> content of the $PROGRAM variable may not be completely trusted as
it is<br>
> provided by the client program that constructed the message.<br>
> <br>
>
___________________________________________________________________________<br>
> ___ Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a> FAQ:<br>
> <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> <br>
> <br>
> ________________________________<br>
> CONFIDENTIALITY NOTICE: This email and any attachments are
intended solely<br>
> for the use of the named recipient(s). This email may contain
confidential<br>
> and/or proprietary information of Scientific Research Corporation.
If you<br>
> are not a named recipient, you are prohibited from reviewing,
copying,<br>
> using, disclosing or distributing to others the information in
this email<br>
> and attachments. If you believe you have received this email in
error,<br>
> please notify the sender immediately and permanently delete the
email, any<br>
> attachments, and all copies thereof from any drives or storage
media and<br>
> destroy any printouts of the email or attachments.<br>
> <br>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may
contain<br>
> technical data subject to U.S export restrictions under the
International<br>
> Traffic in Arms Regulations (ITAR) or the Export Administration<br>
> Regulations (EAR). Export or transfer of this technical data and/or<br>
> related information to any foreign person(s) or entity(ies),
either within<br>
> the U.S. or outside of the U.S., may require advance export
authorization<br>
> by the appropriate U.S. Government agency prior to export or
transfer. In<br>
> addition, technical data may not be exported or transferred to
certain<br>
> countries or specified designated nationals identified by U.S.
embargo<br>
> controls without prior export authorization. By accepting this
email and<br>
> any attachments, all recipients confirm that they understand and
will<br>
> comply with all applicable ITAR, EAR and embargo compliance
requirements.<br>
<br>
-- <br>
Alan McKinnon<br>
Systems Engineer^W Technician<br>
Infrastructure Services<br>
Internet Solutions<br>
<br>
+27 11 575 7585<br>
<br>
Please note: This email and its content are subject to the disclaimer
as displayed at the following link
<a moz-do-not-send="true"
href="http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm"
target="_blank">http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm</a>.
Should you not have Web access, send a mail to <a class="moz-txt-link-abbreviated" href="mailto:disclaimers@is.co.za">disclaimers@is.co.za</a> and
a copy will be emailed to you.<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div>
</font><br>
<hr>
<font color="Gray" face="Arial" size="1">CONFIDENTIALITY NOTICE: This
email and any attachments are intended solely for the use of the named
recipient(s). This email may contain confidential and/or proprietary
information of Scientific Research Corporation. If you are not a named
recipient, you are prohibited from reviewing, copying, using,
disclosing or distributing to others the information in this email and
attachments. If you believe you have received this email in error,
please notify the sender immediately and permanently delete the email,
any attachments, and all copies thereof from any drives or storage
media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
technical data subject to U.S export restrictions under the
International Traffic in Arms Regulations (ITAR) or the Export
Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or
entity(ies), either within the U.S. or outside of the U.S., may require
advance export authorization by the appropriate U.S. Government agency
prior to export or transfer. In addition, technical data may not be
exported or transferred to certain countries or specified designated
nationals identified by U.S. embargo controls without prior export
authorization. By accepting this email and any attachments, all
recipients confirm that they understand and will comply with all
applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>