How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X --
Hi, This filter might be slow down logging of large amount of logs (100k+ EPS), but works fine: filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; This example is from the default openSUSE syslog-ng configuration. You can check the whole file at https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s... Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: A <dima@anche.no> Sent: Sunday, December 28, 2025 07:05 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng]iptables.log CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X -- ______________________________________________________________________________ Member info: %(web_page_url)slistinfo/%(_internal_name)s Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695956211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=b1qUjyqwWGwi5uGP8VN8Y2vfdRaMkPqPOKN0VIOSgYQ%3D&reserved=0<http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695980735%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=irQf%2BwYy3yLmNOu0aYvoBPjVmZ%2Fp6W7z%2Bhzb6MUfrQc%3D&reserved=0<http://www.balabit.com/wiki/syslog-ng-faq>
2025-12-28 07:11:35 (+0000), Peter Czanik (pczanik) wrote:
Hi,
This filter might be slow down logging of large amount of logs (100k+ EPS), but works fine:
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); };
Hi. Thanks for reply. This will probably prevent logging iptables at all. I need to prevent logging numerous attempts to connect on some ports. In my example port 137.
This example is from the default openSUSE syslog-ng configuration. You can check the whole file at https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s...
--
Hi, You can find a working example at https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s... Look for how f_iptables is defined and used. This is the default syslog-ng configuration from openSUSE. Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: A <dima@anche.no> Sent: Sunday, December 28, 2025 07:05 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng]iptables.log CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X -- ______________________________________________________________________________ Member info: %(web_page_url)slistinfo/%(_internal_name)s Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695956211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=b1qUjyqwWGwi5uGP8VN8Y2vfdRaMkPqPOKN0VIOSgYQ%3D&reserved=0<http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695980735%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=irQf%2BwYy3yLmNOu0aYvoBPjVmZ%2Fp6W7z%2Bhzb6MUfrQc%3D&reserved=0<http://www.balabit.com/wiki/syslog-ng-faq>
Hi, You can find a working example for this in the default openSUSE syslog-ng configuration. See: https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s... Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: A <dima@anche.no> Sent: Sunday, December 28, 2025 07:05 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng]iptables.log CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X -- ______________________________________________________________________________ Member info: %(web_page_url)slistinfo/%(_internal_name)s Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695956211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=b1qUjyqwWGwi5uGP8VN8Y2vfdRaMkPqPOKN0VIOSgYQ%3D&reserved=0<http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695980735%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=irQf%2BwYy3yLmNOu0aYvoBPjVmZ%2Fp6W7z%2Bhzb6MUfrQc%3D&reserved=0<http://www.balabit.com/wiki/syslog-ng-faq>
Hi, You can find a working example for this in the default openSUSE syslog-ng configuration. See: https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s... Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik
Oops, sorry for the flood of e-mails. I got an error message that my answer is a company policy violation, so I changed my response until ther was no error message after hitting "send". Now I see that all my e-mails went out, contrary to the message I got... Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: A <dima@anche.no> Sent: Sunday, December 28, 2025 07:05 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng]iptables.log CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X -- ______________________________________________________________________________ Member info: %(web_page_url)slistinfo/%(_internal_name)s Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695956211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=b1qUjyqwWGwi5uGP8VN8Y2vfdRaMkPqPOKN0VIOSgYQ%3D&reserved=0<http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695980735%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=irQf%2BwYy3yLmNOu0aYvoBPjVmZ%2Fp6W7z%2Bhzb6MUfrQc%3D&reserved=0<http://www.balabit.com/wiki/syslog-ng-faq>
participants (3)
-
A
-
D
-
Peter Czanik (pczanik)