Hey all! Real quick...trying to filter OUT firewall hits that have say...169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James
filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Frank, Thanks for the quick response…my last little bit is, I was under the impression that the message() directive automatically assumed the value was already in the message only, and value() wasn’t required? Am I off on this? Thanks again. James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________ Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
I believe it does, but I use it just in case :) Thanks, Frank From: "Lay, James" <james.lay@wincofoods.com> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:48 AM Subject: Re: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu Hi Frank, Thanks for the quick response…my last little bit is, I was under the impression that the message() directive automatically assumed the value was already in the message only, and value() wasn’t required? Am I off on this? Thanks again. James From: syslog-ng-bounces@lists.balabit.hu [ mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
LoL…good call…thanks again J James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 9:01 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question I believe it does, but I use it just in case :) Thanks, Frank From: "Lay, James" <james.lay@wincofoods.com> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:48 AM Subject: Re: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________ Hi Frank, Thanks for the quick response…my last little bit is, I was under the impression that the message() directive automatically assumed the value was already in the message only, and value() wasn’t required? Am I off on this? Thanks again. James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> ] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com <mailto:fcollette@trustmark.com> From: "Lay, James" <james.lay@wincofoods.com <mailto:james.lay@wincofoods.com> > To: <syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> > Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> ________________________________ Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
Hey again all. So…I’m still having issue with this..not sure why. Here’s the raw log: Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 And from my syslog-ng.conf filter f_firewall { not ( program ("firewall" flags(ignore-case)); and message("192\.168\."); and message("169\.254\."); ) }; log { source(s_local); filter(f_dumb); filter(f_firewall); destination(d_file); destination(other); }; Any hints as to why these aren’t matching? Should I not be \ing the periods? Thanks all. James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________ Hey all! Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
I'm not sure if semicolons are valid in filter rules, but technically valid or not, they shouldnt be there so try removing them. The filter should look like filter f_firewall { not ( program ("firewall" flags(ignore-case)) and message("192\.168\.") and message("169\.254\.") ); }; Note though, that filter will only trigger if both 192.168. and 169.254. are in the same log entry. Unless that IP address you masked out with "x"s is 169.254 it wont trigger. Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST) From: Lay, James <james.lay@wincofoods.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Quick filter question
Hey again all.
So...I'm still having issue with this..not sure why. Here's the raw log:
Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64
And from my syslog-ng.conf
filter f_firewall {
not (
program ("firewall" flags(ignore-case));
and message("192\.168\.");
and message("169\.254\.");
)
};
log {
source(s_local);
filter(f_dumb);
filter(f_firewall);
destination(d_file);
destination(other);
};
Any hints as to why these aren't matching? Should I not be \ing the periods? Thanks all.
James
*From:*syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Frank Collette *Sent:* Tuesday, November 08, 2011 8:36 AM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Quick filter question
filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) };
Thanks,
Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com <mailto:fcollette@trustmark.com>
From: "Lay, James" <james.lay@wincofoods.com <mailto:james.lay@wincofoods.com>> To: <syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu>> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>
------------------------------------------------------------------------
Hey all!
Real quick...trying to filter OUT firewall hits that have say...169.254. Will this do the trick?
filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); };
Thanks all.
James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Ah...so I need or then yes? filter f_firewall { not ( program ("firewall" flags(ignore-case)) and message("192\.168\.") or message("169\.254\.") ); }; How's that look? James P.S. And thank you :) James From: Patrick H. [mailto:syslogng@feystorm.net] Sent: Tuesday, November 08, 2011 11:40 AM To: Syslog-ng users' and developers' mailing list Cc: Lay, James Subject: Re: [syslog-ng] Quick filter question I'm not sure if semicolons are valid in filter rules, but technically valid or not, they shouldnt be there so try removing them. The filter should look like filter f_firewall { not ( program ("firewall" flags(ignore-case)) and message("192\.168\.") and message("169\.254\.") ); }; Note though, that filter will only trigger if both 192.168. and 169.254. are in the same log entry. Unless that IP address you masked out with "x"s is 169.254 it wont trigger. Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST) From: Lay, James <james.lay@wincofoods.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Quick filter question Hey again all. So...I'm still having issue with this..not sure why. Here's the raw log: Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 And from my syslog-ng.conf filter f_firewall { not ( program ("firewall" flags(ignore-case)); and message("192\.168\."); and message("169\.254\."); ) }; log { source(s_local); filter(f_dumb); filter(f_firewall); destination(d_file); destination(other); }; Any hints as to why these aren't matching? Should I not be \ing the periods? Thanks all. James From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) }; Thanks, Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com From: "Lay, James" <james.lay@wincofoods.com> To: <syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________________ Hey all! Real quick...trying to filter OUT firewall hits that have say...169.254. Will this do the trick? filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); }; Thanks all. James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
That might work, but what the order of operations is on boolean operations (and/or) is, is unclear. In situations like that its always best to explicitly force the order yourself. filter f_firewall { not ( program ("firewall" flags(ignore-case)) and ( message("192\.168\.") or message("169\.254\.") ) ); }; Sent: Tue Nov 08 2011 11:46:35 GMT-0700 (MST) From: Lay, James <james.lay@wincofoods.com> To: Patrick H. <syslogng@feystorm.net>, Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Quick filter question
Ah...so I need or then yes?
filter f_firewall { not ( program ("firewall" flags(ignore-case)) and message("192\.168\.") or message("169\.254\.") ); };
How's that look?
James
P.S. And thank you :)
James
From: Patrick H. [mailto:syslogng@feystorm.net] Sent: Tuesday, November 08, 2011 11:40 AM To: Syslog-ng users' and developers' mailing list Cc: Lay, James Subject: Re: [syslog-ng] Quick filter question
I'm not sure if semicolons are valid in filter rules, but technically valid or not, they shouldnt be there so try removing them. The filter should look like filter f_firewall { not ( program ("firewall" flags(ignore-case)) and message("192\.168\.") and message("169\.254\.") ); };
Note though, that filter will only trigger if both 192.168. and 169.254. are in the same log entry. Unless that IP address you masked out with "x"s is 169.254 it wont trigger.
Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST) From: Lay, James<james.lay@wincofoods.com> To: Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Quick filter question Hey again all.
So...I'm still having issue with this..not sure why. Here's the raw log:
Nov 8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64
And from my syslog-ng.conf
filter f_firewall { not ( program ("firewall" flags(ignore-case)); and message("192\.168\."); and message("169\.254\."); ) };
log { source(s_local); filter(f_dumb); filter(f_firewall); destination(d_file); destination(other); };
Any hints as to why these aren't matching? Should I not be \ing the periods? Thanks all.
James
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Frank Collette Sent: Tuesday, November 08, 2011 8:36 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Quick filter question
filter f_firewall { not ( program("firewall" flags(ignore-case)) and message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); ) };
Thanks,
Frank E. Collette IV Technical Services Systems Administrator II Trustmark National Bank Office: 601-208-7517 Fax: 601-208-6105 fcollette@trustmark.com
From: "Lay, James"<james.lay@wincofoods.com> To:<syslog-ng@lists.balabit.hu> Date: 11/08/2011 09:14 AM Subject: [syslog-ng] Quick filter question Sent by: syslog-ng-bounces@lists.balabit.hu ________________________________________
Hey all!
Real quick...trying to filter OUT firewall hits that have say...169.254. Will this do the trick?
filter f_firewall { not program (firewall flags(ignore-case)); and not message("169\.254\.[0-9]+\.[0-9]+"); };
Thanks all.
James______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
That might work, but what the order of operations is on boolean operations (and/or) is, is unclear. In situations like that its always best to explicitly force the order yourself.
filter f_firewall { not ( program ("firewall" flags(ignore-case)) and ( message("192\.168\.") or message("169\.254\.") ) ); };
You are bitten one nasty side effect of strings in the syslog-ng configuration file, when using regexps. (maybe we should introduce a Perl like syntax?). So when using double quotes (as you do), the backslash is interpreted by the syslog-ng config lexer (as an escape character), and then the result is handed to the regexp engine. This is different when you use apostrophes, in which case backslashes are not treated specially. message('192\.168\.') is equivalent to message("192\\.168\\.") Also, if you only want to match fixed strings and you don't care about regexps, you can also use: message('192.168.' type(string) flags(substring)) which means that a substring matching is done but without treating it a regexp, which is _much_ faster. -- Bazsi
-----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Wednesday, November 09, 2011 1:36 PM To: Syslog-ng users' and developers' mailing list Cc: Lay, James Subject: Re: [syslog-ng] Quick filter question
On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
That might work, but what the order of operations is on boolean operations (and/or) is, is unclear. In situations like that its always best to explicitly force the order yourself.
filter f_firewall { not ( program ("firewall" flags(ignore-case)) and ( message("192\.168\.") or message("169\.254\.") ) ); };
You are bitten one nasty side effect of strings in the syslog-ng configuration file, when using regexps. (maybe we should introduce a Perl like syntax?).
So when using double quotes (as you do), the backslash is interpreted by the syslog-ng config lexer (as an escape character), and then the result is handed to the regexp engine.
This is different when you use apostrophes, in which case backslashes are not treated specially.
message('192\.168\.') is equivalent to message("192\\.168\\.")
Also, if you only want to match fixed strings and you don't care about regexps, you can also use:
message('192.168.' type(string) flags(substring))
which means that a substring matching is done but without treating it a regexp, which is _much_ faster.
-- Bazsi
Thanks for the heads up and additional config information Bazsi..I really appreciate it. James
participants (4)
-
Balazs Scheidler
-
Frank Collette
-
Lay, James
-
Patrick H.