<div dir="ltr"><div class="gmail_extra">You need both logpath. One is filtering out and other collecting remaining. Also the order of log statement is important</div><div class="gmail_extra"><br></div><div class="gmail_extra">This is how I filtered out some annoying qemu bug :))</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">filter  f_qemu_bug {match(&quot;kernel&quot; value(&quot;PROGRAM&quot;));</div><div class="gmail_extra">        and match(&quot;unable to execute QEMU command \&#39;qom-get\&#39;&quot; value(&quot;MESSAGE&quot;));</div><div class="gmail_extra">};</div><div class="gmail_extra">filter  f_variety_bug {match(&quot;kernel&quot; value(&quot;PROGRAM&quot;));</div><div class="gmail_extra">        and match(&quot;Failed to set the background&quot; value(&quot;MESSAGE&quot;));</div><div class="gmail_extra">};</div><div><br></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">#get rid of qemu bug</div><div class="gmail_extra"><div class="gmail_extra">log {</div><div class="gmail_extra">source(s_local);</div><div class="gmail_extra">filter(f_qemu_bug);</div><div class="gmail_extra">flags(final);<br></div><div class="gmail_extra">};</div><div class="gmail_extra"><br></div><div class="gmail_extra">#get rid of variety bug</div><div class="gmail_extra">log {</div><div class="gmail_extra">source(s_local);</div><div class="gmail_extra">filter(f_variety_bug);</div><div class="gmail_extra">flags(final);</div><div class="gmail_extra"><div class="gmail_extra">};</div><div><br></div></div><div class="gmail_extra">#separate firewall log</div><div class="gmail_extra">log {</div><div class="gmail_extra">source(s_local);</div><div class="gmail_extra">filter(f_iptables);</div><div class="gmail_extra">destination(d_firewall);</div><div class="gmail_extra">flags(final);</div><div class="gmail_extra">};</div><div><div><br></div><div>#remaining</div><div>log {</div><div>source(s_local);</div><div>destination(d_messages);</div><div>};<br></div></div><div><br></div><div class="gmail_extra"><br></div><div><br></div><div>Vlad</div><div><br></div><br><div class="gmail_quote">On 24 September 2014 12:48, fRANz <span dir="ltr">&lt;<a href="mailto:andrea.francesconi@gmail.com" target="_blank" onclick="window.open(&#39;https://mail.google.com/mail/?view=cm&amp;tf=1&amp;to=andrea.francesconi@gmail.com&amp;cc=&amp;bcc=&amp;su=&amp;body=&#39;,&#39;_blank&#39;);return false;">andrea.francesconi@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello guys,<br>
I&#39;m trying to config syslog-ng to ignore and don&#39;t log some strings.<br>
I&#39;m using syslog-ng-3.2.5-4.el6.x86_64 on a CentOS 6.5:<br>
the config is pretty simple:<br>
<br>
# cat /etc/syslog-ng/syslog-ng.conf<br>
@version:3.2<br>
<br>
options { check_hostname(yes);<br>
keep_hostname(yes);<br>
stats_freq(0);<br>
chain_hostnames(no); };<br>
<br>
source inputs { internal();<br>
unix-stream(&quot;/dev/log&quot;);<br>
udp();<br>
tcp(max_connections(100)); };<br>
<br>
destination logpile {<br>
file(&quot;/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY&quot;<br>
owner(root) group(root) perm(0600)<br>
create_dirs(yes) dir_perm(0700)); };<br>
<br>
#filter vmware_filter { match(&quot;Section for VMware ESX&quot; value (&quot;MESSAGE&quot;)); };<br>
#filter vmware_filter { message(&quot;Section for VMware ESX&quot;); };<br>
filter vmware_filter { not message(&quot;Section for VMware ESX&quot;); };<br>
<br>
#log { source(inputs); filter(vmware_filter); flags(final); };<br>
#log { source(inputs); destination(logpile); };<br>
log { source(inputs); filter(vmware_filter); destination(logpile); };<br>
<br>
but I cannot find the right key.<br>
Wha&#39;ts wrong in this config? You can see old configuration applied.<br>
Thanks for any tip.<br>
-f<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div></div>