<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>.EmailQuote {
        BORDER-LEFT: #800000 2px solid; PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt
}
</style><style title="owaParaStyle"><!--P {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi="x">
<div dir="ltr"><font color="#000000" size="2" face="Tahoma">TShark output between the two syslog-ng servers (syslogsvr
<font size="2" face="Tahoma">[192.168.0.80]</font>, syslogclt [192.168.0.81]):</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div dir="ltr"><a href="http://www.murpe.com/syslog-ng-v3.tshark.txt" target="_blank">http://www.murpe.com/syslog-ng-v3.tshark.txt</a></div>
<div dir="ltr"><font size="2" face="tahoma"></font> </div>
<div style="DIRECTION: ltr" id="divRpF689591">
<hr tabindex="-1">
<font color="#000000" size="2" face="Tahoma"><b>From:</b> syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Worsham, Michael<br>
<b>Sent:</b> Monday, September 20, 2010 8:06 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr"><font color="#000000" size="2" face="Tahoma">Wireshark is going to be a bit impossible as these are servers without front-end displays and without X installed. Strictly console-related VM server instances.</font></div>
<div dir="ltr"><font color="#000000" size="2" face="Tahoma"></font> </div>
<div dir="ltr"><font color="#000000" size="2" face="Tahoma">Here's a link to my configuration just in case anyone wants to take a gander:</font></div>
<div dir="ltr"><font size="2" face="Tahoma"></font> </div>
<div dir="ltr"><a href="http://www.murpe.com/syslog-ng-v3.conf.txt" target="_blank"><font size="2" face="Tahoma">http://www.murpe.com/syslog-ng-v3.conf.txt</font></a></div>
<div dir="ltr"><font size="2" face="Tahoma"></font> </div>
<div dir="ltr"><font size="2" face="Tahoma">We are using TLS encryption (a requirement) and a destination breakdown (another requirement). Other than that, we just need some simple filtering for keywords that appear hundreds to thousands of times on our many
RHEL servers that has SELinux and auditing enabled.</font></div>
<div dir="ltr"><font size="2" face="Tahoma"></font> </div>
<div dir="ltr"><font size="2" face="tahoma">-- M</font></div>
<div dir="ltr"><font size="2" face="Tahoma"></font> </div>
<div style="DIRECTION: ltr" id="divRpF586121"><font size="2" face="Tahoma">
<hr tabindex="-1">
</font><font color="#000000"><font face="Tahoma"><font size="2"><b>From:</b> syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall [mhall@mhcomputing.net]<br>
<b>Sent:</b> Monday, September 20, 2010 7:53 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Converting filtering from 2.1 to 3.0?<br>
</font></font></font><br>
</div>
<div></div>
<font size="2">
<div class="PlainText">On Mon, Sep 20, 2010 at 05:44:10PM -0600, syslogng@feystorm.net wrote:<br>
> Your first line should be working. Not sure why it is not.<br>
> However you can try using: not message('Audit daemon rotating log<br>
> files' flags('ignore-case'))<br>
> Simpler and does exactly what your old config did.<br>
<br>
My only guess so far besides an outright bug: the message is formatted <br>
wrong inside the Syslog packet and the packet parser behavior changed <br>
from the old version to the new version in such a way that the macros <br>
are not being populated with the strings we expect.<br>
<br>
However I have set up several PCRE filters against message content using <br>
3.1 and have not seen anything broken. So the bug possibility seems <br>
unlikely compared to an issue parsing the particular string.<br>
<br>
It would be helpful if we could get the tshark -V or full Wireshark <br>
payload of a message that fails to decode so we could see what was <br>
contained in the original packet.<br>
<br>
Matthew.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div>
</font><br>
<hr>
<font color="gray" size="1" face="Arial">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font></div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
</body>
</html>