Michael, Your format is annoying and make take some tweaking of your filters to get around. Syslog-ng, as you know, does various types of matching, on the program, the host, the message, etc, there are different functions that do those things. For the message portion there is match(), for the program portion there is program(), and for host there is host(), you get the idea. I think you are matching a field other than the message when you are using the match function. It's hard to be sure since I'm not familiar with the NT logging format, but that is what I am guessing. Try using one of the other functions to match your expression. Another way you might get a handle on the structure as syslog-ng sees the messages is to use a destination that structures the messages using the DEFAULT filter and the macros, $HOST, $FACILITY, $PRIORITY, etc that will tell you the format of the message so you can filter out the way syslog-ng sees it. In version 1.5.X there is also the template() function that lets you format the output from syslog-ng however you want. Hope this helps. Regards, Drew -----Original Message----- From: Michael Hargadon [mailto:MHargadon@ITDepartment.com] Sent: Thursday, July 12, 2001 11:41 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]stupid regexp question Good afternoon. I use a linux box as a concentration point for the system logs of several NT servers I monitor. This is done through services running on the NT machine which provide standard syslog functionality -- they forward any messages written to the NT event log to a destination I specify. The format in which the messages are received is somewhat irritating, eg: Jul 12 17:36:25 1.2.3.4 Thu Jul 12 17:34:00 2001: SOMEHOST/Security (528) - "Successful Logon: User Name: xservice Domain: SOMEDOMAIN Logon ID: (0x0,0x34616CAB) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SOMESTATION" A large number of the messages we receive we'd prefer not to log to disk. I set up a destination pointing to /dev/null for this purpose. My intention is to use regular expressions to separate useful messages from the useless (and repetitive) ones. As an example of the above, I defined a filter as follows: filter f_nt0001 { match("Security (528)"); }; As well as a log rule as follows: log { source(src); filter(f_nt0002); destination(null); }; However, I'm having issues getting the match rule to work. I suspect it's the parantheses, since AFAIK they're supposed to be a regexp-reserved character. If, however, I escape them with \( messages received which fall into this category don't hit the filter. I know there's something fundamentally obvious that I'm overlooking here but I can't figure it out. Can anyone offer any assistance? Regards, Michael Hargadon mhargadon@itdepartment.com _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng