<div dir="ltr">Hello,<br><br>The *in-list* should work the same way for both *program* and *message*.<div><br></div><div>It is a little hard to help without the rest of the *relevant* configuration. Therefore I created my dummy config and tested with it.</div><div><br></div><div><div>$ cat /tmp/message-filter.txt <br></div><div>:)</div><div>$ cat /tmp/in-list.conf <br></div><div>filter f_smile { in-list("/tmp/message-filter.txt", value("MESSAGE")); };</div><div>source s_stdin { file("/dev/stdin" flags(no-parse)); };</div><div>destination d_stdout { file("/dev/stdout"); };</div><div><br></div><div>log { source(s_stdin); filter(f_smile); destination(d_stdout); };</div><div><br></div><div>$ syslog-ng -f /tmp/in-list.conf </div><div>syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'</div><div>[2017-10-04T07:41:31.341435] WARNING: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file to indicate this explicitly;</div><div>...</div><div>:(</div><div>:)</div><div>Oct  4 07:41:50 peterkokai-work/peterkokai-work :)</div><div>doomed to fail :)</div><div>[EOF]</div><div><br></div><div>This must be an exact match, which is why it seems a little fishy that you want to match *MESSAGE* macro :)</div><br>--<br>Kokan<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Oct 3, 2017 at 10:10 PM Gopi Joshi <<a href="mailto:gkjoshi@gmail.com">gkjoshi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p style="margin:0px 0px 1.71429rem;padding:0px;border:0px;font-size:16px;vertical-align:baseline;line-height:1.71429;color:rgb(68,68,68);font-family:Asap,sans-serif">I am trying to filter messages matching text stored in a txt file (plain txt , exact match , one word each line). but its not working </p><pre style="margin-top:1.71429rem;margin-bottom:1.71429rem;padding:1.71429rem;border:1px solid rgb(237,237,237);font-size:0.857143rem;vertical-align:baseline;background-color:rgb(245,245,245);border-radius:4px;color:rgb(102,102,102);line-height:1.71429;word-break:break-all;word-wrap:break-word;font-family:Consolas,Monaco,"Lucida Console",monospace;overflow:auto"><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">filter f_userlist </span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">{</span> <span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">in</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">-</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">list</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">(</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">"/etc/syslog-ng/userlist.list"</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">,</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline"> value</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">(</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">"MESSAGE"</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">));</span> <span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">};    ---> NOT WORKING</span></pre><p style="margin:0px 0px 1.71429rem;padding:0px;border:0px;font-size:16px;vertical-align:baseline;line-height:1.71429;color:rgb(68,68,68);font-family:Asap,sans-serif">however it works with value(“PROGRAM”) </p><pre style="margin-top:1.71429rem;margin-bottom:1.71429rem;padding:1.71429rem;border:1px solid rgb(237,237,237);font-size:0.857143rem;vertical-align:baseline;background-color:rgb(245,245,245);border-radius:4px;color:rgb(102,102,102);line-height:1.71429;word-break:break-all;word-wrap:break-word;font-family:Consolas,Monaco,"Lucida Console",monospace;overflow:auto"><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">filter f_whitelist </span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">{</span> <span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">in</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">-</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">list</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">(</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">"/etc/syslog-ng/programlist.list"</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">,</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline"> value</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">(</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">"PROGRAM"</span><span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">));</span> <span style="margin:0px;padding:0px;border:0px;font-size:13.7143px;vertical-align:baseline">};  --->WORKING</span></pre><p style="margin:0px 0px 1.71429rem;padding:0px;border:0px;font-size:16px;vertical-align:baseline;line-height:1.71429;color:rgb(68,68,68);font-family:Asap,sans-serif">List ( userlist.list ) is not long and has less than 10 words to match.  anything missing ? or in-list filter doenot work with message contents . any troubleshooting tips will e helpful.</p><p style="margin:0px 0px 1.71429rem;padding:0px;border:0px;font-size:16px;vertical-align:baseline;line-height:1.71429;color:rgb(68,68,68);font-family:Asap,sans-serif"><br></p><p style="margin:0px 0px 1.71429rem;padding:0px;border:0px;font-size:16px;vertical-align:baseline;line-height:1.71429;color:rgb(68,68,68);font-family:Asap,sans-serif"><br></p></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>