Using your configuration on syslog-ng version 3.9.1 I did the following filter f_notifier_filter { not match("ASA-4-302015|ASA-4-302013|TRAFFIC|permitted|Deny|Denied|denied", value("MESSAGE")); }; filter f_local5 { facility(local5); }; destination d_networkx { file("/var/log/network.$YEAR$MONTH$DAY.000000" owner("root") group("syslogs") perm(0640) template(t_standardfile)); }; destination d_notifier { file("/var/log/notifier.$YEAR$MONTH$DAY.000000" owner("root") group("syslogs") perm(0640) template(t_standardfile)); }; log { source(s_local); log { filter(f_local5); destination(d_networkx); log { filter(f_notifier_filter); destination(d_notifier); }; }; }; Then I manually logged the following line logger -t cisco -p local5.notice "1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown" This message matches the f_local5 filter AND the f_notifier_filter and this message ended up in both by network.xxx file and my notifier.xxx file. [xerr@myhost log]$ cat notifier.20170501.000000 2017-05-01T08:12:35.960-07:00 local@myhost local5.notice cisco: 1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown [xerr@myhost log]$ cat network.20170501.000000 2017-05-01T08:12:35.960-07:00 local@myhost local5.notice cisco: 1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown Then I logged a message containing on of the "not match" parts from the f_notifier_filter logger -t cisco -p local5.notice "1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: permitted neighbor 172.19.254.6 Down Admin. shutdown" this message matches the f_local5 filter but does NOT match the f_notifier_filter and only ended up in my filter.xxx file [xerr@myhost log]$ cat network.20170501.000000 2017-05-01T08:12:35.960-07:00 local@myhost local5.notice cisco: 1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown 2017-05-01T08:13:00.095-07:00 local@myhost local5.notice cisco: 1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: permitted neighbor 172.19.254.6 Down Admin. shutdown [xerr@myhost log]$ cat notifier.20170501.000000 2017-05-01T08:12:35.960-07:00 local@myhost local5.notice cisco: 1829: May 1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown From what I can tell everything is working correctly. All local5 messages go to the d_network destination and only message that do NOT contain any of ASA-4-302015|ASA-4-302013|TRAFFIC|permitted|Deny|Denied|denied go to the d_notifier destination. Evan. On 05/01/2017 04:13 AM, Soumyadip Das Mahapatra wrote:
Hi folks,
I raised https://github.com/balabit/syslog-ng/issues/1455
Could you guys help me troubleshooting the issue. It looks to be a buggy regex match.
Thanks, Soumyadip