<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>.EmailQuote {
BORDER-LEFT: #800000 2px solid; PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt
}
</style><style title="owaParaStyle"><!--P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi="x">
<div dir="ltr"><font color="#000000" size="2" face="Tahoma">Well I tried the following two lines and neither one works:</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div dir="ltr">filter M_audit { not match("Audit daemon rotating log files" value("MSGONLY") flags(ignore-case)); };<br>
</div>
<div dir="ltr"><font face="times new roman"><font face="times new roman">Incoming log entry; line='<13>Sep 20 18:26:19 drupal root: daemon'<br>
Filter rule evaluation begins; filter_rule='M_audit'<br>
No such value known; value='MSGONLY'<br>
</font></font><font face="times new roman"></div>
</font>
<div dir="ltr">filter M_audit { not match("MSGONLY" value("Audit daemon rotating log files") flags(ignore-case)); };<br>
</div>
<div dir="ltr">Incoming log entry; line='<13>Sep 20 18:16:15 drupal root: daemon'<br>
<font face="times new roman">Filter rule evaluation begins; filter_rule='M_audit'<br>
No such value known; value='Audit daemon rotating log files'<br>
</font></div>
<div dir="ltr"><font face="times new roman"><font face="times new roman">WTF am I doing wrong and please quit quoting URLs to look at.</font></div>
</font>
<div dir="ltr"><font face="times new roman"></font> </div>
<div dir="ltr"><font face="times new roman">-- M</font></div>
<div dir="ltr"><font face="times new roman"></font> </div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div style="DIRECTION: ltr" id="divRpF631956">
<hr tabindex="-1">
<font color="#000000" size="2" face="Tahoma"><b>From:</b> syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall [mhall@mhcomputing.net]<br>
<b>Sent:</b> Monday, September 20, 2010 6:12 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
</font><br>
</div>
<div></div>
<font size="2">
<div class="PlainText">On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:<br>
> No such value known; value='Audit daemon rotating log files'<br>
> No such value known; value='last message repeated'<br>
> No such value known; value='Log statistics'<br>
<br>
I believe this output indicates you have the incorrect information in <br>
the value argument. The value argument is supposed to be used to <br>
indicate which message macro should be checked for the string or regex <br>
in question.<br>
<br>
So you probably want the value argument to be one of these:<br>
<br>
<a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html" target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html</a><br>
<br>
Matthew.<br>
<br>
The most interesting ones for your application would be the ones below.<br>
<br>
Consider using an output template which outputs the value in each macro, <br>
so you can see which macro you should be matching for each of your <br>
filter rules.<br>
<br>
For example, if you output messages with this template, you would see <br>
the value in the MSGONLY macro. You could use a longer version of this <br>
to print out all the macros and figure out which should be used for the <br>
different matches you are trying to perform.<br>
<br>
template t_raw {<br>
template("${MSGONLY}\n");<br>
};<br>
<br>
<br>
MSG or MESSAGE<br>
Description: Text contents of the log message without the program name <br>
and pid. Note that this has changed in syslog-ng version 3.0; in earlier <br>
versions this macro included the program name and the pid. In syslog-ng <br>
3.0, the MSG macro became equivalent with the MSGONLY macro. The program <br>
name and the pid together are available in the MSGHDR macro.<br>
<br>
MSGHDR<br>
Description: The name and the pid of the program that sent the log <br>
message in PROGRAM: PID format. Includes a trailing whitespace. Note <br>
that the macro returns an empty value if both the program and pid fields <br>
of the message are empty.<br>
<br>
MSGONLY<br>
Description: Message contents without the program name or pid.<br>
<br>
PROGRAM<br>
<br>
Description: The name of the program sending the message. Note that the <br>
content of the $PROGRAM variable may not be completely trusted as it is <br>
provided by the client program that constructed the message.<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div>
</font><br>
<hr>
<font face="Arial" color="Gray" size="1">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
</body>
</html>