<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
tt
        {mso-style-priority:99;
        font-family:"Courier New";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey again all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So…I’m still having issue with this..not sure why. Here’s the raw log:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And from my syslog-ng.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>filter f_firewall {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> not (<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> program ("firewall" flags(ignore-case));<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> and message("192\.168\.");<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> and message("169\.254\.");<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> )<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>};<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>log {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> source(s_local);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> filter(f_dumb);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> filter(f_firewall);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> destination(d_file);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> destination(other);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>};<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Any hints as to why these aren’t matching? Should I not be \ing the periods? Thanks all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>James<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] <b>On Behalf Of </b>Frank Collette<br><b>Sent:</b> Tuesday, November 08, 2011 8:36 AM<br><b>To:</b> Syslog-ng users' and developers' mailing list<br><b>Subject:</b> Re: [syslog-ng] Quick filter question<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>filter f_firewall {</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> not ( </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> program("firewall" flags(ignore-case)) and</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> )</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>};</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks,</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Frank E. Collette IV</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Technical Services<br>Systems Administrator II<br>Trustmark National Bank<br>Office: 601-208-7517</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Fax: 601-208-6105</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><a href="mailto:fcollette@trustmark.com">fcollette@trustmark.com</a></span> <br><br><br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>From: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Lay, James" <<a href="mailto:james.lay@wincofoods.com">james.lay@wincofoods.com</a>></span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>To: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>></span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Date: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>11/08/2011 09:14 AM</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Subject: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>[syslog-ng] Quick filter question</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Sent by: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a></span> <o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:gray' align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Hey all!</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick?</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>filter f_firewall {</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> not program (firewall flags(ignore-case));</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> and not message("169\.254\.[0-9]+\.[0-9]+");</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>};</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Thanks all.</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>James</span><tt><span style='font-size:10.0pt'>______________________________________________________________________________</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>Member info: </tt></span><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><tt><span style='font-size:10.0pt'>https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>Documentation: </tt></span><a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><tt><span style='font-size:10.0pt'>http://www.balabit.com/support/documentation/?product=syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>FAQ: </tt></span><a href="http://www.balabit.com/wiki/syslog-ng-faq"><tt><span style='font-size:10.0pt'>http://www.balabit.com/wiki/syslog-ng-faq</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><br></span><o:p></o:p></p></div></div></body></html>