Can syslog-ng parse the message field for a partial match using the in-list function? For instance, I am querying DNS logs and want to filter out common domains (i.e. Microsoft.com, Redhat.com) In my list file I just have the domains, one per line and in my config file, if have the following: filter f_dns_noise_oklist { in-list("/etc/syslog-ng/lists.d/dns_noise.list", value("MESSAGE")); }; but it doesn’t seem to be working.
I don't think in-list does partial matches now. But what you have there would try to look up the MESSAGE value in the noise.list file and not search DNS names in your $MESSAGE. To do the latter, I am afraid you'd have to combine the DNS names into a regexp and use match() or message() to search for matches. -- Bazsi On Wed, Apr 11, 2018 at 9:08 PM, Garbacik, Joe <Joseph.Garbacik@netapp.com> wrote:
Can syslog-ng parse the message field for a partial match using the in-list function? For instance, I am querying DNS logs and want to filter out common domains (i.e. Microsoft.com, Redhat.com)
In my list file I just have the domains, one per line and in my config file, if have the following: filter f_dns_noise_oklist { in-list("/etc/syslog-ng/lists.d/dns_noise.list", value("MESSAGE")); }; but it doesn’t seem to be working.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Garbacik, Joe
-
Scheidler, Balázs