[syslog-ng]filter(DEFAULT)
jon@dumbo.pobox.com
jon@dumbo.pobox.com
Wed, 13 Dec 2000 11:31:43 -0500
i think it might be a better idea to do it one of these ways:
for each match, increment a variable.
add a filter(DEFAULT=x) where that filter only matches if
the variable is set to that number(or possibly lower?) .
this allows you to write a few filter statements and say "ok
this packet should be matched by rules #1,2,3 so, the number
of matches is 3. now i set filter(DEFAULT=3) to match any
other packets"
this gives you a bit more control over it in that you can
still have multiple matches, and DEFAULT will still log some things
or...
set the default filter to include a hostname and a variable
number like above. this way you can match against several
hosts and count the matches as described above. this allows
for a bit more flexibility then above. a missing hostname
could get interpreted as all hosts. this functionality
could also be built into the functions that receive the
packets and store the "matched x times" variable"
On Wed, Dec 13, 2000 at 03:30:26PM +1000, Andrew Fort wrote:
| > So it will have the opposite affect of what I wanted then... anything
| > that matches host1 will set match=1 and DEFAULT won't match. Heh,
| > somehow I find it amusing that my logic was completely backwards. Or
| > maybe I'm up too late. :-)
|
| Correct :) Your rules have two filter statements, it's only the
|
| filter(host1);
|
| and not the filter(DEFAULT); which is causing any action.
|
| --
| afort
|
| _______________________________________________
| syslog-ng maillist - syslog-ng@lists.balabit.hu
| https://lists.balabit.hu/mailman/listinfo/syslog-ng