Below are a couple of message samples: "Message: %PIX-51-100908: Teardown UDP connection 30292827 for THEFORCEVPN: 123.45.678.91/3130 to inside:987.65.4.3/53 duration.......etc.." "Message: %PIX-51-070605: Teardown UDP connection 26252423 for ISSTRONGVPN: 111.21.314.15/3130 to inside:987.65.4.4/53 <http://210.65.4.4/53>duration.......etc.." I am trying to match 987.65.4.3 or 987.65.4.3/53 and 987.65.4.4<http://210.65.4.4>. Here is my syntax: filter f_pix { match(PIX) and not match("987.65.4.3") and not match(" 987.65.4.4 <http://210.65.4.4>"); }; Any suggestions? Thank You for your assistance!

match() matches the message part only, which does not include the hostname part in the message header. If you actually copied a sample message it would be easier to help out, and you have a much better chance to receive messages on the syslog-ng mailing list. Lots of helpful folks there, I'm sometimes unable to respond for days. :)

-- Bazsi

...

Hello!

I am trying to filter an IP by using match in the syslog-ng.conf file. Below (in bold) is a portion of the thread that sort of describes my problem. However the IP address that I am attempting to match is not the sender.

It is actually located within the message.

I am using the following syntax:

filter f_pix { match(PIX) and not match("xxx\.xx\.x\.x"); };

Did not work. I've attempted many other variations and still no go.

again the address that I am attempting to match is not the sender. It is located within the message.