I agree with what Attila wrote, but to answer your question the first rexpression host("*.abca.*") is invalid.
you have a "*." where you needed a ".*"

Evan


On 06/06/2017 05:07 AM, Szalai, Attila wrote:

Hi,

 

First of all, the content of the host() is a regular expression, so adding .* to the beginning and/or to the end of the expression adds nothing, just pain/slowness.

 

Second, it would help a lot if we can see the actual error message. I found no obvious mistake, but because this is not the original line, maybe something lost in the translation.

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of wiskbroom@hotmail.com
Sent: Tuesday, June 06, 2017 12:59 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] Filter Not Working (too many or's?)

 

Here is an example of what I am trying to do, these hostnames are not real; the real ones have no common pattern.

 

filter f_xyz         { host("*.abca.*") or host(".*abcb.*") or host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };

 

The filter above is for any host containing a hostname with what is contained within the .* and *.; i.e. hostabca01 will be matched by host("*.abca.*")

 

When I have this filter in my config, syslog fails to restart.

 

Eyes hurt, obvious mistake?