On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
That might work, but what the order of operations is on boolean operations (and/or) is, is unclear. In situations like that its always best to explicitly force the order yourself.
filter f_firewall { not ( program ("firewall" flags(ignore-case)) and ( message("192\.168\.") or message("169\.254\.") ) ); };
You are bitten one nasty side effect of strings in the syslog-ng configuration file, when using regexps. (maybe we should introduce a Perl like syntax?). So when using double quotes (as you do), the backslash is interpreted by the syslog-ng config lexer (as an escape character), and then the result is handed to the regexp engine. This is different when you use apostrophes, in which case backslashes are not treated specially. message('192\.168\.') is equivalent to message("192\\.168\\.") Also, if you only want to match fixed strings and you don't care about regexps, you can also use: message('192.168.' type(string) flags(substring)) which means that a substring matching is done but without treating it a regexp, which is _much_ faster. -- Bazsi