Hey again all.
So…I’m still having issue with this..not sure why. Here’s the raw log:
Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64
And from my syslog-ng.conf
filter f_firewall {
not (
program ("firewall" flags(ignore-case));
and message("192\.168\.");
and message("169\.254\.");
)
};
log {
source(s_local);
filter(f_dumb);
filter(f_firewall);
destination(d_file);
destination(other);
};
Any hints as to why these aren’t matching? Should I not be \ing the periods? Thanks all.
James
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 8:36 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question
filter f_firewall {
not (
program("firewall" flags(ignore-case)) and
message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));
)
};
Thanks,
Frank E. Collette IV
Technical Services
Systems Administrator II
Trustmark National Bank
Office: 601-208-7517
Fax: 601-208-6105
fcollette@trustmark.com
From: "Lay, James" <james.lay@wincofoods.com>
To: <syslog-ng@lists.balabit.hu>
Date: 11/08/2011 09:14 AM
Subject: [syslog-ng] Quick filter question
Sent by: syslog-ng-bounces@lists.balabit.hu
Hey all!
Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick?
filter f_firewall {
not program (firewall flags(ignore-case));
and not message("169\.254\.[0-9]+\.[0-9]+");
};
Thanks all.
James______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq