Thanks Peter and Wernli.

I am trying to use kv parser to extract username from MESSAGE template so that i can use it to compare further .

from below VPN logs , i am trying to extract value LOCAL\user1 and user1 (value-separator("(") pair-separator(")")

Teardown TCP connection 51507415 for outside:2.2.2.2/60709(LOCAL\user1l) to inside:5,5,5,5/443 duration 0:00:06 bytes 0 Failover primary closed (user1)

i donot see it maching and any value being saved to $KEY1 to refer the match ,

Below is the conf file .

@version: 3.12

@include "scl.conf"

source s_local {

system();

internal();

};

source s_network { udp(port(514) flags(no-parse));

};

#### PARSER ###

parser p_kv { kv-parser(value-separator("(") pair-separator(")") prefix("kv."));

};

##### VPN LOG ####

#filter f_users { in-list("/var/syslog-ng/user.list", value("${KEY1}")); }; --- Not in Use at present

filter f-syslog { host("1.1.1.1"); };

destination log-vpntest { file("/var/log/vpn/vpntest.log" perm(0644) template("$ISODATE $HOST ${kv.KEY1} $KEY1\n") ); };

log { source(s_network);parser(p_kv);filter(f-syslog);destination(log-vpntest); };

#### VPN LOG ENDS ###

Regards

Gopi Joshi

On Wed, Oct 4, 2017 at 2:54 AM, Czanik, Péter <peter.czanik@balabit.com> wrote:

Here is an example for using the inlist filter together with the patterndb parser: https://czanik.blogs.balabit.com/2013/09/black-cat-white-cat/ In this case patterndb extract IP addresses from log messages which are checked using the inlist filter.

Bye,

Peter Czanik (CzP) <peter.czanik@balabit.com>
Balabit / syslog-ng upstream
https://www.balabit.com/blog/author/peterczanik/
https://twitter.com/PCzanik

On Wed, Oct 4, 2017 at 8:14 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Tue, Oct 03, 2017 at 04:10:39PM -0400, Gopi Joshi wrote:
> I am trying to filter messages matching text stored in a txt file (plain
> txt , exact match , one word each line). but its not working

As Péter suggested, you should first extract the username from the MESSAGE,
for instance using one of the parsers (kv, csv, db, …), and then apply the
in-list filter to that extracted macro

Cheers

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq