Hey again all. So…I’m still having issue with this..not sure why. Here’s the raw log: Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 And from my syslog-ng.conf filter f_firewall { not ( program ("firewall" flags(ignore-case)); and message("192\.168\."); and message("169\.254\."); ) }; log { source(s_local); filter(f_dumb); filter(f_firewall); destination(d_file); destination(other); }; Any hints as to why these aren’t matching? Should I not be \ing the periods? Thanks all. James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________ Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>