<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#0050d0">
    I'm not sure if semicolons are valid in filter rules, but
    technically valid or not, they shouldnt be there so try removing
    them.<br>
    The filter should look like<br>
    <br>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">filter
        f_firewall {<o:p></o:p></span></p>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        not (<o:p></o:p></span></p>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        program ("firewall" flags(ignore-case))<o:p></o:p></span></p>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        and message("192\.168\.")<o:p></o:p></span></p>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        and message("169\.254\.")<o:p></o:p></span></p>
    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        );<o:p></o:p></span></p>
    <span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">};</span><br>
    <br>
    Note though, that filter will only trigger if both 192.168. and
    169.254. are in the same log entry. Unless that IP address you
    masked out with "x"s is 169.254 it wont trigger.<br>
    <br>
    <br>
    <br>
    Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST)<br>
    From: Lay, James <a class="moz-txt-link-rfc2396E" href="mailto:james.lay@wincofoods.com">&lt;james.lay@wincofoods.com&gt;</a><br>
    To: Syslog-ng users' and developers' mailing list
    <a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu">&lt;syslog-ng@lists.balabit.hu&gt;</a> <br>
    Subject: Re: [syslog-ng] Quick filter question
    <blockquote
cite="mid:360E0F1A6850C74D89B37C3A22C9DE1F04DB4229@GOMAIL.go.winco.local"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
tt
        {mso-style-priority:99;
        font-family:"Courier New";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Hey
            again all.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">So&#8230;I&#8217;m
            still having issue with this..not sure why.&nbsp; Here&#8217;s the raw
            log:<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Nov&nbsp;
            8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x
            192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">And
            from my syslog-ng.conf<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">filter
            f_firewall {<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            not (<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            program ("firewall" flags(ignore-case));<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            and message("192\.168\.");<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            and message("169\.254\.");<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            )<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">};<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">log
            {<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            source(s_local);<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            filter(f_dumb);<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            &nbsp;filter(f_firewall);<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            destination(d_file);<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            destination(other);<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">};<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Any
            hints as to why these aren&#8217;t matching?&nbsp; Should I not be \ing
            the periods?&nbsp; Thanks all.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">James<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <div style="border:none;border-left:solid blue 1.5pt;padding:0in
          0in 0in 4.0pt">
          <div>
            <div style="border:none;border-top:solid #B5C4DF
              1.0pt;padding:3.0pt 0in 0in 0in">
              <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">
                  <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>
                  [<a class="moz-txt-link-freetext" href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>] <b>On
                    Behalf Of </b>Frank Collette<br>
                  <b>Sent:</b> Tuesday, November 08, 2011 8:36 AM<br>
                  <b>To:</b> Syslog-ng users' and developers' mailing
                  list<br>
                  <b>Subject:</b> Re: [syslog-ng] Quick filter question<o:p></o:p></span></p>
            </div>
          </div>
          <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
          <p class="MsoNormal"><br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">filter
              f_firewall {</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; not ( </span><br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;program("firewall" flags(ignore-case)) and</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;message("169\.254\.[0-9]+\.[0-9]+"
              value("MESSAGE"));</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; )</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">};</span>
            <br>
            <br>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Thanks,</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><br>
              Frank E. Collette IV</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Technical
              Services<br>
              Systems Administrator II<br>
              Trustmark National Bank<br>
              Office: 601-208-7517</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Fax:
              601-208-6105</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><a
                moz-do-not-send="true"
                href="mailto:fcollette@trustmark.com">fcollette@trustmark.com</a></span>
            <br>
            <br>
            <br>
            <br>
            <span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#5F5F5F">From:
              &nbsp; &nbsp; &nbsp; &nbsp;</span><span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">"Lay,
              James" &lt;<a moz-do-not-send="true"
                href="mailto:james.lay@wincofoods.com">james.lay@wincofoods.com</a>&gt;</span>
            <br>
            <span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#5F5F5F">To:
              &nbsp; &nbsp; &nbsp; &nbsp;</span><span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&lt;<a
                moz-do-not-send="true"
                href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>&gt;</span>
            <br>
            <span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#5F5F5F">Date:
              &nbsp; &nbsp; &nbsp; &nbsp;</span><span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">11/08/2011
              09:14 AM</span> <br>
            <span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#5F5F5F">Subject:
              &nbsp; &nbsp; &nbsp; &nbsp;</span><span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">[syslog-ng]
              Quick filter question</span> <br>
            <span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#5F5F5F">Sent
              by: &nbsp; &nbsp; &nbsp; &nbsp;</span><span
style="font-size:7.5pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><a
                moz-do-not-send="true"
                href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a></span>
            <o:p></o:p></p>
          <div class="MsoNormal" style="text-align:center"
            align="center">
            <hr style="color:gray" align="center" noshade="noshade"
              size="2" width="100%"></div>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
            <br>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Hey
              all!</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Real
              quick&#8230;trying to filter OUT firewall hits that have
              say&#8230;169.254. &nbsp;Will this do the trick?</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">filter
              f_firewall {</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; not program (firewall flags(ignore-case));</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;
              &nbsp; &nbsp; &nbsp; and not message("169\.254\.[0-9]+\.[0-9]+");</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">};</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Thanks
              all.</span> <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;</span>
            <br>
            <span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">James</span><tt><span
                style="font-size:10.0pt">______________________________________________________________________________</span></tt><span
              style="font-size:10.0pt;font-family:&quot;Courier
              New&quot;"><br>
              <tt>Member info: </tt></span><a moz-do-not-send="true"
              href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><tt><span
                  style="font-size:10.0pt">https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></tt></a><span
              style="font-size:10.0pt;font-family:&quot;Courier
              New&quot;"><br>
              <tt>Documentation: </tt></span><a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"><tt><span
                  style="font-size:10.0pt">http://www.balabit.com/support/documentation/?product=syslog-ng</span></tt></a><span
              style="font-size:10.0pt;font-family:&quot;Courier
              New&quot;"><br>
              <tt>FAQ: </tt></span><a moz-do-not-send="true"
              href="http://www.balabit.com/wiki/syslog-ng-faq"><tt><span
                  style="font-size:10.0pt">http://www.balabit.com/wiki/syslog-ng-faq</span></tt></a><span
              style="font-size:10.0pt;font-family:&quot;Courier
              New&quot;"><br>
              <br>
            </span><o:p></o:p></p>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
  </body>
</html>