<div dir="ltr">The issue is probably where the filter resides. I use that filter (in fact, it's in an optional ELSA config right now) and it works, but you have to remember that ${.classifier.class} isn't set until after the patterndb parser is run, so the filter() statement has to be after parser(p_db);</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 10, 2013 at 11:51 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
Wait a second. Version 3.2.x ... really?<br>
That's quite old. There was a bug with the <br>
.classifier.X tags some time in the past, and it might have been in those old versions. Certainly version 3.3 would be recommended, and all of y work is done with 3.4.x<br>
<br>
My advice my be specific to version 3.4 :-(<div class="im"><br>
<br>
<br>
<br>
Evan Rempel <a href="tel:250.271.7691" value="+12502717691" target="_blank">250.271.7691</a><br>
University Systems, University of Victoria<br>
<br></div><div><div class="h5">
Evan Rempel <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>> wrote:<br>
<br>
<font><span style="font-size:10pt">
<div>This definitely works. I'm using it right now.<br>
<br>
If it isn't working, then your pattern in the patterndb is not matching. We literally run millions of messages per hour through this exact filter ... I copied and pasted it from our pattern database.<br>
<br>
<br>
<br>
Evan Rempel <a href="tel:250.271.7691" value="+12502717691" target="_blank">250.271.7691</a><br>
University Systems, University of Victoria<br>
<br>
Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz" target="_blank">r.fulton@auckland.ac.nz</a>> wrote:<br>
<br>
<br>
On 11/05/2013, at 2:26 PM, Evan Rempel <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>> wrote:<br>
<br>
> Try this filter<br>
><br>
><br>
> filter f_unknown {<br>
> tags(".classifier.unknown");<br>
> };<br>
><br>
<br>
This always appears to return true. I.e. this filter includes everything. Negating it includes nothing.<br>
<br>
I have tried to install 3.2.5 as this is the last version that ELSA is confirmed to work with but that does not start:<br>
<br>
Starting syslog-ng<br>
/usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libsyslog-ng.so.0: cannot open shared object file: No such file or directory<br>
<br>
So far as I can tell all the lib files are present and correct and in the same place as the previous version?<br>
<br>
I have syslog-ng installed in /usr/local/syslog-ng-<version> and a symlink /usr/local/syslog-ng pointing to the version to use.<br>
<br>
Russell<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div>
</span></font>
</div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>