I'm not sure if semicolons are valid in filter rules, but technically valid or not, they shouldnt be there so try removing them.
The filter should look like

filter f_firewall {

        not (

        program ("firewall" flags(ignore-case))

        and message("192\.168\.")

        and message("169\.254\.")

        );

};

Note though, that filter will only trigger if both 192.168. and 169.254. are in the same log entry. Unless that IP address you masked out with "x"s is 169.254 it wont trigger.



Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST)
From: Lay, James <james.lay@wincofoods.com>
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Quick filter question

Hey again all.

 

So…I’m still having issue with this..not sure why.  Here’s the raw log:

 

Nov  8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64

 

And from my syslog-ng.conf

 

filter f_firewall {

        not (

        program ("firewall" flags(ignore-case));

        and message("192\.168\.");

        and message("169\.254\.");

        )

};

 

log {

        source(s_local);

        filter(f_dumb);

        filter(f_firewall);

        destination(d_file);

        destination(other);

};

 

Any hints as to why these aren’t matching?  Should I not be \ing the periods?  Thanks all.

 

James

 

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 8:36 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question

 


filter f_firewall {
        not (
               program("firewall" flags(ignore-case)) and
               message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));
                )
};


Thanks,

Frank E. Collette IV
Technical Services
Systems Administrator II
Trustmark National Bank
Office: 601-208-7517
Fax: 601-208-6105
fcollette@trustmark.com



From:        "Lay, James" <james.lay@wincofoods.com>
To:        <syslog-ng@lists.balabit.hu>
Date:        11/08/2011 09:14 AM
Subject:        [syslog-ng] Quick filter question
Sent by:        syslog-ng-bounces@lists.balabit.hu




Hey all!
 
Real quick…trying to filter OUT firewall hits that have say…169.254.  Will this do the trick?
 
filter f_firewall {
        not program (firewall flags(ignore-case));
        and not message("169\.254\.[0-9]+\.[0-9]+");
};
 
Thanks all.
 
James______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq