<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>LoL…good call…thanks again </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>James<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] <b>On Behalf Of </b>Frank Collette<br><b>Sent:</b> Tuesday, November 08, 2011 9:01 AM<br><b>To:</b> Syslog-ng users' and developers' mailing list<br><b>Subject:</b> Re: [syslog-ng] Quick filter question<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I believe it does, but I use it just in case :)</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks, Frank</span> <br><br><br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>From: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Lay, James" <<a href="mailto:james.lay@wincofoods.com">james.lay@wincofoods.com</a>></span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>To: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Syslog-ng users' and developers' mailing list" <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>></span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Date: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>11/08/2011 09:48 AM</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Subject: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Re: [syslog-ng] Quick filter question</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Sent by: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a></span> <o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:gray' align=center></div><p class=MsoNormal><br><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'>Hi Frank,</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'>Thanks for the quick response…my last little bit is, I was under the impression that the message() directive automatically assumed the value was already in the message only, and value() wasn’t required? Am I off on this? Thanks again.</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'> </span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'>James</span> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#004080'> </span> <br><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [</span><a href="mailto:syslog-ng-bounces@lists.balabit.hu"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:syslog-ng-bounces@lists.balabit.hu</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>On Behalf Of </b>Frank Collette<b><br>Sent:</b> Tuesday, November 08, 2011 8:36 AM<b><br>To:</b> Syslog-ng users' and developers' mailing list<b><br>Subject:</b> Re: [syslog-ng] Quick filter question</span> <br> <br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>filter f_firewall {</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br> not ( <br> program("firewall" flags(ignore-case)) and</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br> message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));</span> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br> )</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>};</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Thanks,</span> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br><br>Frank E. Collette IV</span> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Technical Services<br>Systems Administrator II<br>Trustmark National Bank<br>Office: 601-208-7517</span> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Fax: 601-208-6105</span> <u><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'><br></span></u><a href="mailto:fcollette@trustmark.com"><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>fcollette@trustmark.com</span></a> <br><br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'><br>From: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Lay, James" <</span><a href="mailto:james.lay@wincofoods.com"><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>james.lay@wincofoods.com</span></a><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>></span> <span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'><br>To: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><</span><a href="mailto:syslog-ng@lists.balabit.hu"><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>syslog-ng@lists.balabit.hu</span></a><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>></span> <span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'><br>Date: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>11/08/2011 09:14 AM</span> <span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'><br>Subject: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>[syslog-ng] Quick filter question</span> <span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'><br>Sent by: </span><a href="mailto:syslog-ng-bounces@lists.balabit.hu"><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>syslog-ng-bounces@lists.balabit.hu</span></a> <o:p></o:p></p><p class=MsoNormal align=center style='text-align:center'><o:p> </o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:gray' align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>Hey all!</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br></span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick?</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br></span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>filter f_firewall {</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br> not program (firewall flags(ignore-case));</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br> and not message("169\.254\.[0-9]+\.[0-9]+");</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>};</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br></span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>Thanks all.</span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br></span> <span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><br>James</span><span style='font-size:10.0pt;font-family:"Courier New"'>______________________________________________________________________________<br>Member info: </span><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><span style='font-size:10.0pt;font-family:"Courier New"'>https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></a><span style='font-size:10.0pt;font-family:"Courier New"'><br>Documentation: </span><a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><span style='font-size:10.0pt;font-family:"Courier New"'>http://www.balabit.com/support/documentation/?product=syslog-ng</span></a><span style='font-size:10.0pt;font-family:"Courier New"'><br>FAQ: </span><a href="http://www.balabit.com/wiki/syslog-ng-faq"><span style='font-size:10.0pt;font-family:"Courier New"'>http://www.balabit.com/wiki/syslog-ng-faq</span></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>______________________________________________________________________________</tt><br><tt>Member info: </tt></span><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><tt><span style='font-size:10.0pt'>https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>Documentation: </tt></span><a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><tt><span style='font-size:10.0pt'>http://www.balabit.com/support/documentation/?product=syslog-ng</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>FAQ: </tt></span><a href="http://www.balabit.com/wiki/syslog-ng-faq"><tt><span style='font-size:10.0pt'>http://www.balabit.com/wiki/syslog-ng-faq</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br><br></span><o:p></o:p></p></div></div></body></html>