<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
tt
        {mso-style-priority:99;
        font-family:"Courier New";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey again all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So…I’m still having issue with this..not sure why.  Here’s the raw log:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Nov  8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And from my syslog-ng.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>filter f_firewall {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        not (<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        program (&quot;firewall&quot; flags(ignore-case));<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        and message(&quot;192\.168\.&quot;);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        and message(&quot;169\.254\.&quot;);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        )<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>};<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>log {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        source(s_local);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        filter(f_dumb);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        filter(f_firewall);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        destination(d_file);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>        destination(other);<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>};<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Any hints as to why these aren’t matching?  Should I not be \ing the periods?  Thanks all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>James<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] <b>On Behalf Of </b>Frank Collette<br><b>Sent:</b> Tuesday, November 08, 2011 8:36 AM<br><b>To:</b> Syslog-ng users' and developers' mailing list<br><b>Subject:</b> Re: [syslog-ng] Quick filter question<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>filter f_firewall {</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; not ( </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;program(&quot;firewall&quot; flags(ignore-case)) and</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;message(&quot;169\.254\.[0-9]+\.[0-9]+&quot; value(&quot;MESSAGE&quot;));</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; )</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>};</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks,</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Frank E. Collette IV</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Technical Services<br>Systems Administrator II<br>Trustmark National Bank<br>Office: 601-208-7517</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Fax: 601-208-6105</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><a href="mailto:fcollette@trustmark.com">fcollette@trustmark.com</a></span> <br><br><br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>From: &nbsp; &nbsp; &nbsp; &nbsp;</span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>&quot;Lay, James&quot; &lt;<a href="mailto:james.lay@wincofoods.com">james.lay@wincofoods.com</a>&gt;</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>To: &nbsp; &nbsp; &nbsp; &nbsp;</span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>&lt;<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>&gt;</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Date: &nbsp; &nbsp; &nbsp; &nbsp;</span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>11/08/2011 09:14 AM</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Subject: &nbsp; &nbsp; &nbsp; &nbsp;</span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>[syslog-ng] Quick filter question</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Sent by: &nbsp; &nbsp; &nbsp; &nbsp;</span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a></span> <o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:gray' align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Hey all!</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp;</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Real quick…trying to filter OUT firewall hits that have say…169.254. &nbsp;Will this do the trick?</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp;</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>filter f_firewall {</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; not program (firewall flags(ignore-case));</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp; &nbsp; &nbsp; &nbsp; and not message(&quot;169\.254\.[0-9]+\.[0-9]+&quot;);</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>};</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp;</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Thanks all.</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>&nbsp;</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>James</span><tt><span style='font-size:10.0pt'>______________________________________________________________________________</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>Member info: </tt></span><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><tt><span style='font-size:10.0pt'>https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>Documentation: </tt></span><a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><tt><span style='font-size:10.0pt'>http://www.balabit.com/support/documentation/?product=syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>FAQ: </tt></span><a href="http://www.balabit.com/wiki/syslog-ng-faq"><tt><span style='font-size:10.0pt'>http://www.balabit.com/wiki/syslog-ng-faq</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><br></span><o:p></o:p></p></div></div></body></html>