I agree with what Attila wrote, but to answer your question the first rexpression host("*.abca.*") is invalid. you have a "*." where you needed a ".*" Evan On 06/06/2017 05:07 AM, Szalai, Attila wrote:
Hi,
First of all, the content of the host() is a regular expression, so adding .* to the beginning and/or to the end of the expression adds nothing, just pain/slowness.
Second, it would help a lot if we can see the actual error message. I found no obvious mistake, but because this is not the original line, maybe something lost in the translation.
*From:*syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *wiskbroom@hotmail.com *Sent:* Tuesday, June 06, 2017 12:59 AM *To:* syslog-ng@lists.balabit.hu *Subject:* [syslog-ng] Filter Not Working (too many or's?)
Here is an example of what I am trying to do, these hostnames are not real; the real ones have no common pattern.
filter f_xyz { host("*.abca.*") or host(".*abcb.*") or host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };
The filter above is for any host containing a hostname with what is contained within the .* and *.; i.e. hostabca01 will be matched by host("*.abca.*")
When I have this filter in my config, syslog fails to restart.
Eyes hurt, obvious mistake?