<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.emailquote, li.emailquote, div.emailquote
        {mso-style-name:emailquote;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:1.0pt;
        margin-bottom:.0001pt;
        border:none;
        padding:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>how to unsubscribe?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] <b>On
Behalf Of </b>Worsham, Michael<br>
<b>Sent:</b> Tuesday, September 21, 2010 10:48 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] [Bug 93] New: filter() functionality between
2.1 to 3.0 not consistent<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'>This is what my current configuration looks like now (disabled TLS
to allow for debugging):</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="http://www.murpe.com/syslog-ng-v3.conf2.txt" target="_blank">http://www.murpe.com/syslog-ng-v3.conf2.txt</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>--
M</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div id=divRpF211356>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>
syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On
Behalf Of Alan McKinnon [Alan.McKinnon@is.co.za]<br>
<b>Sent:</b> Tuesday, September 21, 2010 10:35 AM<br>
<b>To:</b> syslog-ng@lists.balabit.hu<br>
<b>Subject:</b> Re: [syslog-ng] [Bug 93] New: filter() functionality between
2.1 to 3.0 not consistent</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt'>I
think you are running into the changed definitions of match() between 2.0 <br>
and 3.0<br>
<br>
<a
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-"
target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-</a><br>
admin-en.html/reference_filters.html<br>
<br>
especially match() and message()<br>
<br>
Of your samples, the 3rd and 4th should work. What is the full config that <br>
applies to how you use this filter? Are you perhaps applying two filters? Be <br>
careful with that - filters are always ANDed in a log statement, not ORed.<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Tuesday 21 September 2010 16:16:57 bugzilla@bugzilla.balabit.com wrote:<br>
> <a href="https://bugzilla.balabit.com/show_bug.cgi?id=93" target="_blank">https://bugzilla.balabit.com/show_bug.cgi?id=93</a><br>
> <br>
> Summary:
filter() functionality between 2.1 to 3.0 not<br>
> consistent Product: syslog-ng<br>
> Version:
3.0.x<br>
> Platform: PC<br>
> OS/Version: Linux<br>
>
Status: NEW<br>
> Severity:
major<br>
> Priority:
unspecified<br>
> Component: syslog-ng<br>
> AssignedTo:
bazsi@balabit.hu<br>
> ReportedBy:
mworsham@scires.com<br>
> Type of the Report: bug<br>
> Estimated Hours: 0.0<br>
> <br>
> <br>
> In the older syslong-ng v2.1, this line works perfectly:<br>
> <br>
> filter M_audit { not match("Audit daemon rotating log
files"); };<br>
> <br>
> Under 3.0.8, none of the following are working (if added one line at a<br>
> time) and the daemon restarted:<br>
> <br>
> filter M_audit { not match("Audit daemon rotating log
files"<br>
> value("MSGONLY") flags(ignore-case)); }; filter M_audit {
not<br>
> match("MSGONLY" value("Audit daemon rotating log
files")<br>
> flags(ignore-case)); }; filter M_audit { not match("Audit
daemon rotating<br>
> log files" value(MSGONLY) flags(ignore-case)); }; filter
M_audit { not<br>
> match("Audit daemon rotating log files" value(MSGONLY)); };
filter M_audit<br>
> { not match("MSGONLY" value("Audit daemon rotating
log files")); };<br>
> <br>
> What I am looking to do is if any incoming data has the following keywords<br>
> (i.e. "Audit daemon rotating log files") being detected, it
should be<br>
> filtered (i.e. dropped), and then not show up in the actual message log<br>
> file.<br>
> <br>
> For example, if I go over on the syslog-ng client and do 'logger daemon':<br>
> - The older v2.1 syslog-ng server
detects the embedded keyword and<br>
> drops the message. <-- This is correct - On the v3.0.8, the message
passes<br>
> through and found in the data file. <-- This is incorrect<br>
> <br>
> Attempted to use the following URLs to correct the formatting, but it
still<br>
> not working: -<br>
> <a
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu"
target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu</a><br>
> ide-admin-en.html/configuring_filters.html -<br>
> <a
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu"
target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu</a><br>
> ide-admin-en.html/reference_macros.html<br>
<br>
-- <br>
Alan McKinnon<br>
Systems Engineer^W Technician<br>
Infrastructure Services<br>
Internet Solutions<br>
<br>
+27 11 575 7585<br>
<br>
Please note: This email and its content are subject to the disclaimer as
displayed at the following link <a
href="http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm"
target="_blank">http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm</a>.
Should you not have Web access, send a mail to disclaimers@is.co.za and a copy
will be emailed to you.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:gray'>CONFIDENTIALITY NOTICE: This email and any attachments are intended
solely for the use of the named recipient(s). This email may contain
confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying,
using, disclosing or distributing to others the information in this email and
attachments. If you believe you have received this email in error, please
notify the sender immediately and permanently delete the email, any
attachments, and all copies thereof from any drives or storage media and
destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical
data subject to U.S export restrictions under the International Traffic in Arms
Regulations (ITAR) or the Export Administration Regulations (EAR). Export or
transfer of this technical data and/or related information to any foreign
person(s) or entity(ies), either within the U.S. or outside of the U.S., may
require advance export authorization by the appropriate U.S. Government agency
prior to export or transfer. In addition, technical data may not be exported or
transferred to certain countries or specified designated nationals identified
by U.S. embargo controls without prior export authorization. By accepting this
email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.</span><o:p></o:p></p>
</div>
</body>
</html>