-----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Wednesday, November 09, 2011 1:36 PM To: Syslog-ng users' and developers' mailing list Cc: Lay, James Subject: Re: [syslog-ng] Quick filter question
On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
That might work, but what the order of operations is on boolean operations (and/or) is, is unclear. In situations like that its always best to explicitly force the order yourself.
filter f_firewall { not ( program ("firewall" flags(ignore-case)) and ( message("192\.168\.") or message("169\.254\.") ) ); };
You are bitten one nasty side effect of strings in the syslog-ng configuration file, when using regexps. (maybe we should introduce a Perl like syntax?).
So when using double quotes (as you do), the backslash is interpreted by the syslog-ng config lexer (as an escape character), and then the result is handed to the regexp engine.
This is different when you use apostrophes, in which case backslashes are not treated specially.
message('192\.168\.') is equivalent to message("192\\.168\\.")
Also, if you only want to match fixed strings and you don't care about regexps, you can also use:
message('192.168.' type(string) flags(substring))
which means that a substring matching is done but without treating it a regexp, which is _much_ faster.
-- Bazsi
Thanks for the heads up and additional config information Bazsi..I really appreciate it. James